Edit tour

Windows Analysis Report
coordinator.exe

Overview

General Information

Sample name:coordinator.exe
Analysis ID:1411666
MD5:4e5402787e7854f4fa33f73853d5dfb3
SHA1:0410b7c5441eda53a554e2c05e70b1316b8cf07b
SHA256:912c0c803c8d8935c2cc6acc893982f8be3a0331709603e1e5d8a77d4e276456
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found API chain indicative of debugger detection
Contains functionality to dynamically determine API calls
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • coordinator.exe (PID: 6376 cmdline: "C:\Users\user\Desktop\coordinator.exe" MD5: 4E5402787E7854F4FA33F73853D5DFB3)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: coordinator.exeVirustotal: Detection: 8%Perma Link
Source: coordinator.exeStatic PE information: certificate valid
Source: coordinator.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: coordinator.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: coordinator.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: coordinator.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: coordinator.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: coordinator.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: coordinator.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: coordinator.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: coordinator.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: coordinator.exeString found in binary or memory: http://ocsp.digicert.com0
Source: coordinator.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: coordinator.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: coordinator.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: coordinator.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_00406A700_2_00406A70
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_004062030_2_00406203
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_004088C00_2_004088C0
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_00407D000_2_00407D00
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_004087200_2_00408720
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_004063E00_2_004063E0
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_00405BA00_2_00405BA0
Source: C:\Users\user\Desktop\coordinator.exeCode function: String function: 00401DC0 appears 90 times
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\coordinator.exeSection loaded: wintypes.dllJump to behavior
Source: classification engineClassification label: mal52.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_00404E30 GetLastError,FormatMessageA,0_2_00404E30
Source: coordinator.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\coordinator.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: coordinator.exeVirustotal: Detection: 8%
Source: C:\Users\user\Desktop\coordinator.exeFile read: C:\Users\user\Desktop\coordinator.exeJump to behavior
Source: coordinator.exeStatic PE information: certificate valid
Source: coordinator.exeStatic file information: File size 10107024 > 1048576
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_004052A0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,free,0_2_004052A0
Source: coordinator.exeStatic PE information: section name: .xdata
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_0040F72E push rbx; ret 0_2_0040F72F
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_00402EB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00402EB0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging

barindex
Source: C:\Users\user\Desktop\coordinator.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-4232
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_004052A0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,free,0_2_004052A0
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,malloc,memcpy,_cexit,_initterm,GetStartupInfoW,exit,0_2_004011B0
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_00409540 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00409540
Source: C:\Users\user\Desktop\coordinator.exeCode function: 0_2_00409460 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00409460
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API
1
DLL Side-Loading
1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information
NTDS3
System Information Discovery
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1411666 Sample: coordinator.exe Startdate: 19/03/2024 Architecture: WINDOWS Score: 52 8 Multi AV Scanner detection for submitted file 2->8 5 coordinator.exe 2->5         started        process3 signatures4 10 Found API chain indicative of debugger detection 5->10

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
coordinator.exe4%ReversingLabs
coordinator.exe8%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1411666
Start date and time:2024-03-19 12:28:17 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 46s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:1
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:coordinator.exe
Detection:MAL
Classification:mal52.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 9
  • Number of non-executed functions: 47
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated
No simulations
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):7.995802275454662
TrID:
  • Win64 Executable (generic) (12005/4) 74.80%
  • Generic Win/DOS Executable (2004/3) 12.49%
  • DOS Executable Generic (2002/1) 12.47%
  • VXD Driver (31/22) 0.19%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:coordinator.exe
File size:10'107'024 bytes
MD5:4e5402787e7854f4fa33f73853d5dfb3
SHA1:0410b7c5441eda53a554e2c05e70b1316b8cf07b
SHA256:912c0c803c8d8935c2cc6acc893982f8be3a0331709603e1e5d8a77d4e276456
SHA512:1fd89d4409e3554a39686c23b148a5916239910bb3bfeb950a1c3c7062dca9a87767ecb066449f08364b867e0b62f1966bc1b20c2d9f627534142cbfb8513d79
SSDEEP:196608:hlshArd9L2jTMlUV/pb/jFszcoz2B3nH14+82r0oWmWWA8TzveaXlfcF:3sGXL2jW8Z/jFs/SFV4O0oWbObN1cF
TLSH:2EA63398F0FA5D97EAFE4074B675C011FA72E82703AC18CB1914F4A31EAE791277D246
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....2.0........../...........................@..............................@......JQ........ ............................
Icon Hash:4a464cd47461e179
Entrypoint:0x4014f0
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:0x30013205 [Mon Jul 10 13:58:29 1995 UTC]
TLS Callbacks:0x409670
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:4747944165a85176b0eccaefa44b30bb
Signature Valid:true
Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:The operation completed successfully
Error Number:0
Not Before, Not After
  • 22/06/2023 01:00:00 22/06/2024 00:59:59
Subject Chain
  • CN=ZoomInfo Technologies LLC, O=ZoomInfo Technologies LLC, L=Vancouver, S=Washington, C=US, SERIALNUMBER=7055492, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:3
Thumbprint MD5:733B7F312222E14A4C4F0CFCB41E0749
Thumbprint SHA-1:12726B2FDD0D8A82C092AC508C60887D01E8E2C2
Thumbprint SHA-256:FDCAE1A112567419F689D2C8E28F3DDF198FD0A276D5C7FC7006651A58399102
Serial:03AE9C75707D47287100A7E9D1C3C83C
Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0000F535h]
mov dword ptr [eax], 00000001h
call 00007F1AF538B2CFh
call 00007F1AF538301Ah
nop
nop
dec eax
add esp, 28h
ret
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0000F505h]
mov dword ptr [eax], 00000000h
call 00007F1AF538B29Fh
call 00007F1AF5382FEAh
nop
nop
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
pop ebp
ret
nop word ptr [eax+eax+00000000h]
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
cmp dword ptr [00009B30h], 00000000h
je 00007F1AF53833A2h
dec eax
lea ecx, dword ptr [0000AA87h]
call dword ptr [0001FEEDh]
dec eax
test eax, eax
je 00007F1AF53833A1h
dec eax
lea edx, dword ptr [0000AA83h]
dec eax
mov ecx, eax
call dword ptr [0001FEE0h]
dec eax
test eax, eax
je 00007F1AF538337Bh
dec eax
lea ecx, dword ptr [00009B00h]
call eax
dec eax
lea ecx, dword ptr [00000017h]
dec eax
add esp, 20h
pop ebp
jmp 00007F1AF538B102h
dec eax
lea eax, dword ptr [0000FF96h]
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x210000x1018.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x250000xeec8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x120000x7f8.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x9a10380x2858
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x240200x28.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x214040x3a0.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x9df80x9e00068343f9461138f6ee6b0353fb18ff1fFalse0.5470480617088608data6.240802806828587IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data0xb0000xa80x20032d2283ed5ef868a4454872f2522dea3False0.119140625data0.6680356137986713IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata0xc0000x50800x52001dc2dc2af095b8de44d6e9cbc2f28d9bFalse0.5963224085365854data6.65985924165373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata0x120000x7f80x8000f64d94dca41a43b8c90e6dc122ffb49False0.50244140625data4.718423387201603IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata0x130000x75c0x8009eca94a61981710563e722bee749e7b9False0.298828125data4.050315054198894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss0x140000xcce00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata0x210000x10180x120012e016212662c2419df49ad65bd11b37False0.3053385416666667data4.092556099590802IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT0x230000x680x2007933098268db8112a146761befffb21cFalse0.072265625data0.2672080280062829IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x240000x680x2009f11641a4a590e1d50fb35766f337f61False0.060546875data0.1991075177871819IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x250000xeec80xf000ff6038d51225791df3d2158c2ea53791False0.8107096354166666data7.517032125391597IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x251c00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.585820895522388
RT_ICON0x260680x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.7360108303249098
RT_ICON0x269100x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.755057803468208
RT_ICON0x26e780x952cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9975384937676757
RT_ICON0x303a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.3887966804979253
RT_ICON0x329500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.49530956848030017
RT_ICON0x339f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.7207446808510638
RT_GROUP_ICON0x33e600x68data0.7019230769230769
DLLImport
KERNEL32.dllCreateProcessW, DeleteCriticalSection, EnterCriticalSection, ExpandEnvironmentStringsW, FormatMessageA, GetCommandLineW, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentVariableW, GetExitCodeProcess, GetLastError, GetModuleFileNameW, GetModuleHandleA, GetProcAddress, GetShortPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, GetTempPathW, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetDllDirectoryW, SetEnvironmentVariableW, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, __C_specific_handler
msvcrt.dll__argc, __dllonexit, __iob_func, __lconv_init, __set_app_type, __setusermatherr, __wargv, __wgetmainargs, __winitenv, _amsg_exit, _cexit, _fileno, _findclose, _findfirst64, _findnext64, _fmode, _fullpath, _get_osfhandle, _getpid, _initterm, _lock, _mkdir, _onexit, _rmdir, _setmode, _stat64, _strdup, _tempnam, _unlock, _vsnprintf, _wcmdln, _wfopen, _wstat64, abort, calloc, clearerr, exit, fclose, feof, ferror, fflush, fprintf, fread, free, fseek, ftell, fwrite, getenv, malloc, mbstowcs, memcpy, remove, setbuf, setlocale, signal, sprintf, strcat, strchr, strcmp, strcpy, strlen, strncat, strncmp, strncpy, strrchr, strtok, vfprintf, wcslen
USER32.dllMessageBoxA
WS2_32.dllntohl
No network behavior found
02468s020406080100

Click to jump to process

02468s0.002468MB

Click to jump to process

Target ID:0
Start time:12:29:01
Start date:19/03/2024
Path:C:\Users\user\Desktop\coordinator.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\coordinator.exe"
Imagebase:0x400000
File size:10'107'024 bytes
MD5 hash:4E5402787E7854F4FA33F73853D5DFB3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:6.6%
Dynamic/Decrypted Code Coverage:0%
Signature Coverage:20%
Total number of Nodes:991
Total number of Limit Nodes:9
Show Legend
Hide Nodes/Edges
execution_graph 4415 409640 4416 409648 4415->4416 4417 40964d 4416->4417 4420 40a360 4416->4420 4419 409665 4421 40a3f0 4420->4421 4422 40a36e 4420->4422 4425 40a410 InitializeCriticalSection 4421->4425 4426 40a3fa 4421->4426 4423 40a390 4422->4423 4424 40a370 4422->4424 4428 40a39e 4423->4428 4429 40a1d0 3 API calls 4423->4429 4427 40a383 4424->4427 4433 40a1d0 EnterCriticalSection 4424->4433 4425->4426 4426->4419 4427->4419 4428->4427 4431 40a3b5 free 4428->4431 4432 40a3c6 DeleteCriticalSection 4428->4432 4429->4428 4431->4431 4431->4432 4432->4427 4434 40a224 4433->4434 4436 40a1f1 4433->4436 4435 40a200 TlsGetValue GetLastError 4435->4436 4436->4434 4436->4435 4411 40a240 4412 40a260 calloc 4411->4412 4413 40a251 4411->4413 4412->4413 4414 40a27c EnterCriticalSection LeaveCriticalSection 4412->4414 4437 409540 RtlCaptureContext RtlLookupFunctionEntry 4438 409620 4437->4438 4439 40957d RtlVirtualUnwind 4437->4439 4440 4095b3 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess abort 4438->4440 4439->4440 4440->4438 4482 403c00 4483 40ab70 4482->4483 4484 403c21 _strdup 4483->4484 4485 403cf3 4484->4485 4486 403c35 malloc 4484->4486 4487 401dc0 MessageBoxA 4485->4487 4486->4485 4488 403c54 setlocale 4486->4488 4490 403cb3 4487->4490 4489 403cd0 setlocale free 4488->4489 4491 403c69 4488->4491 4489->4490 4491->4489 4492 403c9c free 4491->4492 4493 401dc0 MessageBoxA 4492->4493 4493->4490 4494 402c00 _fullpath 4609 403b80 4610 40a7e0 4609->4610 4611 403b8e htonl sprintf GetModuleHandleA 4610->4611 4612 403be4 4611->4612 4613 403bc7 4611->4613 4615 403ae0 68 API calls 4612->4615 4614 402eb0 50 API calls 4613->4614 4616 403bd1 4614->4616 4617 403bf3 4615->4617 4553 401cc0 htonl 4554 40a2c0 4555 40a2e0 EnterCriticalSection 4554->4555 4556 40a2cf 4554->4556 4557 40a317 LeaveCriticalSection 4555->4557 4558 40a2fb 4555->4558 4560 40a324 4557->4560 4558->4557 4559 40a301 free LeaveCriticalSection 4558->4559 4559->4560 4605 407a80 4606 407a9b 4605->4606 4607 407bf3 4605->4607 4606->4607 4608 407bd5 memcpy 4606->4608 4608->4607 4497 406203 4499 406208 4497->4499 4498 406c50 4499->4498 4500 40668d memcpy 4499->4500 4500->4499 3486 4015d0 3534 405110 malloc 3486->3534 3488 4015f3 3489 402a04 3488->3489 3490 402788 3488->3490 3492 401dc0 MessageBoxA 3489->3492 3541 402d90 3490->3541 3494 402a10 3492->3494 3496 4027b4 3559 4044c0 3496->3559 3498 4027cb 3567 4045a0 3498->3567 3500 4027da 3570 401c70 3500->3570 3502 402829 3503 402940 3502->3503 3504 402840 3502->3504 3611 4022a0 3503->3611 3577 4051d0 3504->3577 3509 401c70 32 API calls 3511 402917 3509->3511 3511->3502 3516 40291f 3511->3516 3512 402870 strcpy strcpy 3513 40289b 3512->3513 3590 402680 3513->3590 3515 4051d0 6 API calls 3520 4029d0 SetDllDirectoryW free 3515->3520 3608 401dc0 3516->3608 3529 4029b4 3520->3529 3523 4028ab 3525 40297d 3526 4044c0 11 API calls 3525->3526 3528 402989 3526->3528 3528->3529 3531 402996 3528->3531 3529->3515 3638 401d00 3529->3638 3644 404710 3529->3644 3628 404c60 3531->3628 3533 4029a9 3533->3529 3535 4051b0 3534->3535 3537 40513b 3534->3537 3535->3488 3537->3535 3538 405172 3537->3538 3658 405010 3537->3658 3539 405191 free 3538->3539 3540 405180 free 3538->3540 3539->3488 3540->3539 3540->3540 3673 40a7e0 3541->3673 3544 402de0 3675 404e30 GetLastError FormatMessageA 3544->3675 3545 402dbc 3546 405010 6 API calls 3545->3546 3549 402dcd 3546->3549 3548 402de5 3550 401dc0 MessageBoxA 3548->3550 3555 402dd2 3549->3555 3676 404e30 GetLastError FormatMessageA 3549->3676 3551 4027a9 3550->3551 3556 402e30 3551->3556 3553 402e00 3554 401dc0 MessageBoxA 3553->3554 3554->3555 3555->3551 3557 40ab40 3556->3557 3558 402e3d strlen 3557->3558 3558->3496 3560 4044cb 3559->3560 3561 4051d0 6 API calls 3560->3561 3562 4044e0 GetEnvironmentVariableW 3561->3562 3563 404501 ExpandEnvironmentStringsW 3562->3563 3564 4044f6 3562->3564 3565 405010 6 API calls 3563->3565 3564->3498 3566 404525 3565->3566 3566->3498 3566->3564 3568 4051d0 6 API calls 3567->3568 3569 4045b3 SetEnvironmentVariableW free 3568->3569 3569->3500 3677 401c10 strcpy 3570->3677 3572 401c7d 3573 401ca1 3572->3573 3680 401980 3572->3680 3573->3502 3573->3509 3575 401c89 3575->3573 3576 401c95 fclose 3575->3576 3576->3573 3578 405214 MultiByteToWideChar 3577->3578 3579 4051e9 MultiByteToWideChar 3577->3579 3580 405280 3578->3580 3581 40523f malloc 3578->3581 3582 405260 3579->3582 3583 40284d SetDllDirectoryW free strcmp 3579->3583 3715 404e30 GetLastError FormatMessageA 3580->3715 3581->3579 3714 404e30 GetLastError FormatMessageA 3582->3714 3583->3512 3583->3513 3586 405265 3588 401dc0 MessageBoxA 3586->3588 3587 405285 3589 401dc0 MessageBoxA 3587->3589 3588->3583 3589->3583 3716 401d40 strlen 3590->3716 3592 402694 3593 4026c2 3592->3593 3594 40269c 3592->3594 3599 4026d0 3593->3599 3722 402af0 3594->3722 3596 4026aa 3732 4052a0 3596->3732 3598 4026b5 3598->3593 3747 403ae0 3599->3747 3602 40270b 3602->3523 3609 40aaf0 3608->3609 3610 401e02 MessageBoxA 3609->3610 3610->3523 3612 4022e7 3611->3612 3614 4022b3 3611->3614 3612->3529 3615 402310 3612->3615 3613 401680 2 API calls 3613->3614 3614->3612 3614->3613 3616 40233f 3615->3616 3618 402344 3615->3618 3616->3529 3623 404540 3616->3623 3619 401680 2 API calls 3618->3619 3622 40237e 3618->3622 4094 4018c0 3618->4094 4109 401f30 3618->4109 3619->3618 3621 401d00 2 API calls 3621->3622 3622->3616 3622->3621 3624 4051d0 6 API calls 3623->3624 3625 404557 3624->3625 3626 4051d0 6 API calls 3625->3626 3627 404567 SetEnvironmentVariableW free free 3626->3627 3627->3525 3629 404c6e 3628->3629 3630 4051d0 6 API calls 3629->3630 3631 404c9a 6 API calls 3630->3631 3632 40acb0 3631->3632 3633 404d45 9 API calls 3632->3633 3634 404df5 WaitForSingleObject GetExitCodeProcess 3633->3634 3635 404dd8 3633->3635 3634->3533 3636 401dc0 MessageBoxA 3635->3636 3637 404de4 3636->3637 3637->3533 3639 401d28 3638->3639 3640 401d0d 3638->3640 3639->3529 3641 401d16 free 3640->3641 3642 401d1b 3640->3642 3641->3642 3642->3639 3643 401d23 fclose 3642->3643 3643->3639 3645 40a7e0 3644->3645 3646 404726 strcpy 3645->3646 3647 404747 _findfirst64 3646->3647 3649 4047c0 strncpy 3647->3649 3650 404917 _rmdir 3647->3650 4217 404960 3649->4217 3650->3529 3653 4048f7 _findnext64 3654 404870 strncpy 3653->3654 3655 40490e _findclose 3653->3655 3654->3655 3656 4048d6 3654->3656 3655->3650 3657 404960 2 API calls 3656->3657 3657->3653 3659 405070 WideCharToMultiByte 3658->3659 3660 405029 WideCharToMultiByte 3658->3660 3663 4050f0 3659->3663 3664 4050ad malloc 3659->3664 3661 4050d0 3660->3661 3662 40505b 3660->3662 3671 404e30 GetLastError FormatMessageA 3661->3671 3662->3537 3672 404e30 GetLastError FormatMessageA 3663->3672 3664->3660 3667 4050f5 3669 401dc0 MessageBoxA 3667->3669 3668 4050d5 3670 401dc0 MessageBoxA 3668->3670 3669->3662 3670->3662 3671->3668 3672->3667 3674 402d9c GetModuleFileNameW 3673->3674 3674->3544 3674->3545 3675->3548 3676->3553 3678 40ab58 3677->3678 3679 401c37 strcpy strcpy 3678->3679 3679->3572 3681 401b90 3680->3681 3682 401996 fseek ftell 3680->3682 3709 402e60 3681->3709 3707 401610 fseek 3682->3707 3685 401ba0 3685->3682 3687 401b7b 3685->3687 3686 4019b7 3688 401a70 fseek fread 3686->3688 3689 4019bf htonl htonl fseek htonl malloc 3686->3689 3687->3575 3688->3687 3690 401aab 3688->3690 3691 401bf0 3689->3691 3692 401a06 htonl fread 3689->3692 3690->3687 3693 401ab6 fseek fread fseek fread 3690->3693 3694 401dc0 MessageBoxA 3691->3694 3695 401bb1 3692->3695 3696 401a2b htonl ferror 3692->3696 3697 401a63 3693->3697 3698 401b19 3693->3698 3694->3697 3699 401dc0 MessageBoxA 3695->3699 3700 401bd0 3696->3700 3701 401a4f 3696->3701 3697->3575 3698->3687 3704 401b2f fseek fread 3698->3704 3699->3697 3703 401dc0 MessageBoxA 3700->3703 3701->3697 3702 401a57 fclose 3701->3702 3702->3697 3703->3697 3704->3687 3706 401b5d 3704->3706 3705 401610 fseek 3705->3706 3706->3687 3706->3689 3706->3705 3708 40162c 3707->3708 3708->3686 3710 4051d0 6 API calls 3709->3710 3711 402e88 3710->3711 3712 4051d0 6 API calls 3711->3712 3713 402e99 _wfopen 3712->3713 3713->3685 3714->3586 3715->3587 3717 401d95 3716->3717 3718 401d65 3716->3718 3717->3592 3718->3717 3719 401d6b strncmp 3718->3719 3742 401680 htonl 3718->3742 3719->3718 3720 401da2 3719->3720 3720->3592 3723 402bb0 strlen strlen calloc 3722->3723 3724 402b0a 3722->3724 3725 402b35 strlen strncpy strlen 3723->3725 3726 402bde 3723->3726 3724->3725 3728 402b63 strlen 3725->3728 3729 402b5a 3725->3729 3727 402b80 3726->3727 3727->3596 3730 402b90 3728->3730 3731 402b72 strcat 3728->3731 3729->3728 3730->3596 3731->3727 3733 4051d0 6 API calls 3732->3733 3734 4052b7 LoadLibraryA GetProcAddress GetProcAddress 3733->3734 3735 405360 3734->3735 3736 4052f4 3734->3736 3735->3598 3736->3735 3737 405325 free 3736->3737 3738 405336 3737->3738 3741 405370 3738->3741 3746 404e30 GetLastError FormatMessageA 3738->3746 3740 40534b 3740->3598 3741->3598 3743 4016ab 3742->3743 3744 40169f 3742->3744 3743->3718 3745 401dc0 MessageBoxA 3744->3745 3745->3743 3746->3740 3748 40a7e0 3747->3748 3749 403aec htonl strcpy 3748->3749 3750 402af0 8 API calls 3749->3750 3751 403b39 3750->3751 3825 404c10 3751->3825 3753 403b41 3754 403b46 3753->3754 3755 403b5a GetLastError 3753->3755 3828 402eb0 GetProcAddress 3754->3828 3757 401dc0 MessageBoxA 3755->3757 3758 4026dd 3757->3758 3758->3602 3759 403d60 3758->3759 3760 403db0 3759->3760 3762 403d83 3759->3762 3761 4051d0 6 API calls 3760->3761 3761->3762 3763 404041 3762->3763 3766 403ed0 strlen strncpy 3762->3766 3767 403deb strlen strncpy 3762->3767 3764 401dc0 MessageBoxA 3763->3764 3765 404057 3764->3765 3771 401dc0 MessageBoxA 3765->3771 3769 403ef4 3766->3769 3768 403e02 3767->3768 3774 403e20 3768->3774 3775 4040ac 3768->3775 3769->3769 3770 403f0b strlen strncat 3769->3770 3773 4051d0 6 API calls 3770->3773 3772 40406d 3771->3772 3780 401dc0 MessageBoxA 3772->3780 3776 403f8d 3773->3776 3782 40407e 3774->3782 3981 4038d0 3774->3981 3778 401dc0 MessageBoxA 3775->3778 3776->3768 3777 4040b8 3776->3777 3784 403fb0 3776->3784 3779 401dc0 MessageBoxA 3777->3779 3778->3777 3781 4040ce 3779->3781 3780->3782 3786 401dc0 MessageBoxA 3782->3786 3785 4051d0 6 API calls 3784->3785 3785->3774 3787 4026f3 3786->3787 3787->3602 3802 4040e0 3787->3802 3788 403e34 3788->3765 3790 403fe3 3788->3790 3791 403e8c 3788->3791 3801 403ebf 3788->3801 3789 401dc0 MessageBoxA 3789->3763 4001 405380 malloc 3790->4001 3993 405660 3791->3993 3794 403e91 3794->3772 3799 403eae free 3794->3799 3795 403fe8 3796 403ff4 3795->3796 3797 40409e 3795->3797 4008 403d10 3796->4008 3798 401dc0 MessageBoxA 3797->3798 3798->3782 3799->3801 3801->3787 3801->3789 3803 404140 strlen 3802->3803 3804 404100 3802->3804 3805 40416c 3803->3805 3806 4042c8 3804->3806 3807 40411d free 3804->3807 3808 4042db 3805->3808 3815 404178 3805->3815 3809 401dc0 MessageBoxA 3806->3809 3807->3805 3810 401dc0 MessageBoxA 3808->3810 3812 4026ff 3809->3812 3810->3812 3812->3602 3820 404430 3812->3820 3813 401680 2 API calls 3813->3815 3815->3812 3815->3813 3816 404280 htonl 3815->3816 3817 404226 htonl 3815->3817 3818 401dc0 MessageBoxA 3815->3818 3819 404273 free 3815->3819 4047 4016c0 3815->4047 3816->3815 3817->3815 3818->3815 3819->3815 3821 404443 3820->3821 3822 404445 3820->3822 3821->3602 3822->3821 3823 401680 2 API calls 3822->3823 4081 4042f0 htonl 3822->4081 3823->3822 3826 4051d0 6 API calls 3825->3826 3827 404c23 LoadLibraryW free 3826->3827 3827->3753 3829 4034a4 3828->3829 3830 402edc GetProcAddress 3828->3830 3833 401dc0 MessageBoxA 3829->3833 3831 402ef8 GetProcAddress 3830->3831 3832 4034b0 3830->3832 3834 4034c6 3831->3834 3835 402f14 GetProcAddress 3831->3835 3836 401dc0 MessageBoxA 3832->3836 3833->3832 3839 401dc0 MessageBoxA 3834->3839 3837 402f30 GetProcAddress 3835->3837 3838 4034dc 3835->3838 3836->3834 3841 4034f2 3837->3841 3842 402f4c GetProcAddress 3837->3842 3840 401dc0 MessageBoxA 3838->3840 3839->3838 3840->3841 3843 401dc0 MessageBoxA 3841->3843 3844 403508 3842->3844 3845 402f68 GetProcAddress 3842->3845 3843->3844 3848 401dc0 MessageBoxA 3844->3848 3846 402f84 GetProcAddress 3845->3846 3847 40351e 3845->3847 3849 402fa0 GetProcAddress 3846->3849 3850 403534 3846->3850 3851 401dc0 MessageBoxA 3847->3851 3848->3847 3853 40354a 3849->3853 3854 402fbc GetProcAddress 3849->3854 3852 401dc0 MessageBoxA 3850->3852 3851->3850 3852->3853 3855 401dc0 MessageBoxA 3853->3855 3856 402fd8 GetProcAddress 3854->3856 3857 403560 3854->3857 3855->3857 3859 403576 3856->3859 3860 402ff4 GetProcAddress 3856->3860 3858 401dc0 MessageBoxA 3857->3858 3858->3859 3863 401dc0 MessageBoxA 3859->3863 3861 403010 GetProcAddress 3860->3861 3862 40358c 3860->3862 3865 4035a2 3861->3865 3866 40302c GetProcAddress 3861->3866 3864 401dc0 MessageBoxA 3862->3864 3863->3862 3864->3865 3867 401dc0 MessageBoxA 3865->3867 3868 4035ce 3866->3868 3869 403048 GetProcAddress 3866->3869 3870 4035b8 3867->3870 3871 401dc0 MessageBoxA 3868->3871 3872 403064 3869->3872 3873 4037de 3869->3873 3883 401dc0 MessageBoxA 3870->3883 3875 4035e4 3871->3875 3876 403345 GetProcAddress 3872->3876 3877 40306d GetProcAddress 3872->3877 3874 401dc0 MessageBoxA 3873->3874 3879 4037f4 3874->3879 3885 401dc0 MessageBoxA 3875->3885 3876->3877 3880 403361 3876->3880 3877->3870 3878 403089 GetProcAddress 3877->3878 3881 4035fa 3878->3881 3882 4030a5 GetProcAddress 3878->3882 3889 401dc0 MessageBoxA 3879->3889 3884 401dc0 MessageBoxA 3880->3884 3887 401dc0 MessageBoxA 3881->3887 3882->3875 3886 4030c1 GetProcAddress 3882->3886 3883->3868 3888 40333b 3884->3888 3885->3881 3890 403626 3886->3890 3891 4030dd GetProcAddress 3886->3891 3892 403610 3887->3892 3888->3758 3893 40380a 3889->3893 3895 401dc0 MessageBoxA 3890->3895 3891->3892 3894 4030f9 GetProcAddress 3891->3894 3898 401dc0 MessageBoxA 3892->3898 3903 401dc0 MessageBoxA 3893->3903 3896 403115 GetProcAddress 3894->3896 3897 403652 3894->3897 3899 40363c 3895->3899 3896->3899 3901 403131 GetProcAddress 3896->3901 3900 401dc0 MessageBoxA 3897->3900 3898->3890 3902 401dc0 MessageBoxA 3899->3902 3904 403668 3900->3904 3905 40367e 3901->3905 3906 40314d GetProcAddress 3901->3906 3902->3897 3907 403820 3903->3907 3910 401dc0 MessageBoxA 3904->3910 3909 401dc0 MessageBoxA 3905->3909 3906->3904 3908 403169 GetProcAddress 3906->3908 3918 401dc0 MessageBoxA 3907->3918 3911 403185 GetProcAddress 3908->3911 3912 4036c0 3908->3912 3913 403694 3909->3913 3910->3905 3915 4031a1 GetProcAddress 3911->3915 3916 4036aa 3911->3916 3914 401dc0 MessageBoxA 3912->3914 3921 401dc0 MessageBoxA 3913->3921 3919 4036d6 3914->3919 3915->3913 3920 4031bd GetProcAddress 3915->3920 3917 401dc0 MessageBoxA 3916->3917 3917->3912 3922 403836 3918->3922 3924 401dc0 MessageBoxA 3919->3924 3920->3919 3923 4031d9 GetProcAddress 3920->3923 3921->3916 3931 401dc0 MessageBoxA 3922->3931 3925 4031f5 GetProcAddress 3923->3925 3926 4036ec 3923->3926 3924->3926 3928 403211 GetProcAddress 3925->3928 3929 403702 3925->3929 3927 401dc0 MessageBoxA 3926->3927 3927->3929 3932 403718 3928->3932 3933 40322d GetProcAddress 3928->3933 3930 401dc0 MessageBoxA 3929->3930 3930->3932 3937 40384c 3931->3937 3936 401dc0 MessageBoxA 3932->3936 3934 40372e 3933->3934 3935 403249 GetProcAddress 3933->3935 3940 401dc0 MessageBoxA 3934->3940 3938 403265 GetProcAddress 3935->3938 3939 403744 3935->3939 3936->3934 3943 401dc0 MessageBoxA 3937->3943 3938->3879 3942 403281 3938->3942 3941 401dc0 MessageBoxA 3939->3941 3940->3939 3944 40375a 3941->3944 3945 403374 GetProcAddress 3942->3945 3946 40328a GetProcAddress 3942->3946 3947 403860 3943->3947 3952 401dc0 MessageBoxA 3944->3952 3948 403390 GetProcAddress 3945->3948 3949 4037c8 3945->3949 3946->3944 3950 4032a6 GetProcAddress 3946->3950 3960 401dc0 MessageBoxA 3947->3960 3948->3946 3951 4033ac 3948->3951 3955 401dc0 MessageBoxA 3949->3955 3953 4032c2 GetProcAddress 3950->3953 3954 403770 3950->3954 3956 401dc0 MessageBoxA 3951->3956 3952->3954 3957 403786 3953->3957 3958 4032de GetProcAddress 3953->3958 3959 401dc0 MessageBoxA 3954->3959 3955->3873 3956->3888 3963 401dc0 MessageBoxA 3957->3963 3961 40379c 3958->3961 3962 4032fa GetProcAddress 3958->3962 3959->3957 3960->3888 3964 401dc0 MessageBoxA 3961->3964 3965 403316 GetProcAddress 3962->3965 3966 4037b2 3962->3966 3963->3961 3964->3966 3965->3893 3968 403332 3965->3968 3967 401dc0 MessageBoxA 3966->3967 3967->3949 3968->3888 3969 4033c2 GetProcAddress 3968->3969 3969->3922 3970 4033de 3969->3970 3971 403474 GetProcAddress 3970->3971 3972 4033e7 GetProcAddress 3970->3972 3973 403490 3971->3973 3974 403403 GetProcAddress 3971->3974 3972->3947 3972->3974 3975 401dc0 MessageBoxA 3973->3975 3974->3907 3976 40341f GetProcAddress 3974->3976 3975->3888 3976->3937 3977 40343b 3976->3977 3977->3888 3978 403444 GetProcAddress 3977->3978 3978->3888 3979 403460 3978->3979 3980 401dc0 MessageBoxA 3979->3980 3980->3888 3986 4038e6 3981->3986 3982 403a76 3982->3788 3983 401680 2 API calls 3983->3986 3984 403a00 3984->3982 3985 403a05 7 API calls 3984->3985 3987 40abd8 3985->3987 3986->3982 3986->3983 3986->3984 3988 403abc 3986->3988 3989 403a45 __iob_func fflush __iob_func 3987->3989 3990 401dc0 MessageBoxA 3988->3990 3991 40ab78 3989->3991 3990->3982 3992 403a5c __iob_func setbuf __iob_func setbuf 3991->3992 3992->3982 3994 4055a0 malloc 3993->3994 3995 405640 3994->3995 3997 4055d0 3994->3997 3995->3794 3997->3995 3998 405605 3997->3998 4011 405440 3997->4011 3999 405621 free 3998->3999 4000 405610 free 3998->4000 3999->3794 4000->3999 4000->4000 4002 405420 4001->4002 4004 4053ab 4001->4004 4002->3795 4003 4051d0 6 API calls 4003->4004 4004->4002 4004->4003 4005 4053e2 4004->4005 4006 405401 free 4005->4006 4007 4053f0 free 4005->4007 4006->3795 4007->4006 4007->4007 4009 403d24 free 4008->4009 4010 403d35 4008->4010 4009->4009 4009->4010 4012 4051d0 6 API calls 4011->4012 4013 40545b 4012->4013 4014 40549d 4013->4014 4015 4054b0 4013->4015 4016 40546a 4013->4016 4014->3997 4036 404f70 GetShortPathNameW 4015->4036 4023 404e90 WideCharToMultiByte 4016->4023 4019 40546f free 4019->4014 4021 40547f 4019->4021 4021->4014 4022 405484 strncpy free 4021->4022 4022->4014 4024 404f30 4023->4024 4025 404eda 4023->4025 4044 404e30 GetLastError FormatMessageA 4024->4044 4027 404ee2 malloc WideCharToMultiByte 4025->4027 4029 404f52 4027->4029 4030 404f1c 4027->4030 4028 404f35 4031 401dc0 MessageBoxA 4028->4031 4045 404e30 GetLastError FormatMessageA 4029->4045 4030->4019 4033 404f46 4031->4033 4033->4019 4034 404f57 4035 401dc0 MessageBoxA 4034->4035 4035->4030 4037 404fb0 malloc GetShortPathNameW 4036->4037 4041 404f91 4036->4041 4038 404fce free 4037->4038 4037->4041 4038->4041 4040 404e90 6 API calls 4042 404fe8 free 4040->4042 4041->4037 4041->4040 4046 404e30 GetLastError FormatMessageA 4041->4046 4042->4041 4043 404fff 4042->4043 4043->4019 4044->4028 4045->4034 4046->4041 4048 401803 4047->4048 4049 4016da htonl fseek htonl malloc 4047->4049 4052 402e60 7 API calls 4048->4052 4050 40184e 4049->4050 4051 40170f htonl fread 4049->4051 4056 401e30 MessageBoxA 4050->4056 4053 401840 4051->4053 4054 401733 4051->4054 4055 401813 4052->4055 4059 401e30 MessageBoxA 4053->4059 4057 401739 4054->4057 4065 401765 htonl malloc 4054->4065 4055->4049 4058 40181f 4055->4058 4060 401861 4056->4060 4061 401741 fclose 4057->4061 4062 40174d 4057->4062 4078 401e30 4058->4078 4059->4050 4066 401e30 MessageBoxA 4060->4066 4061->4062 4062->3815 4064 40182d 4064->3815 4067 4018ad 4065->4067 4068 40177d htonl htonl 4065->4068 4069 401879 free 4066->4069 4070 401e30 MessageBoxA 4067->4070 4071 4017ce 4068->4071 4072 401e30 MessageBoxA 4069->4072 4073 401893 4070->4073 4071->4060 4074 4017d6 4071->4074 4072->4073 4073->4069 4075 401e30 MessageBoxA 4073->4075 4074->4073 4076 4017eb 4074->4076 4075->4073 4077 4017f3 free 4076->4077 4077->4057 4079 40aaf0 4078->4079 4080 401e72 MessageBoxA 4079->4080 4080->4064 4082 404360 strlen 4081->4082 4083 404319 4081->4083 4087 404385 4082->4087 4084 404332 4083->4084 4085 4043ef 4083->4085 4084->4087 4088 404350 free 4084->4088 4086 401dc0 MessageBoxA 4085->4086 4092 4043e5 4086->4092 4089 4043c2 4087->4089 4090 404405 4087->4090 4088->4087 4089->4092 4093 401dc0 MessageBoxA 4089->4093 4091 401dc0 MessageBoxA 4090->4091 4091->4092 4092->3822 4093->4092 4095 4016c0 21 API calls 4094->4095 4096 4018d5 4095->4096 4156 4046b0 4096->4156 4101 401966 4105 401dc0 MessageBoxA 4101->4105 4102 40190b fwrite 4103 401925 4102->4103 4104 40192a fclose free 4102->4104 4103->4104 4106 401950 4103->4106 4107 40193c 4104->4107 4105->4107 4108 401dc0 MessageBoxA 4106->4108 4107->3618 4108->4107 4110 40a7e0 4109->4110 4111 401f44 strcpy strtok strcpy strtok strcpy 4110->4111 4112 401fa8 4111->4112 4113 4021cc 4111->4113 4112->4113 4194 402a20 strlen 4112->4194 4113->3618 4118 401fff 4119 4046b0 11 API calls 4118->4119 4121 402007 4119->4121 4120 401ee0 6 API calls 4122 402080 4120->4122 4123 402022 4121->4123 4204 404b10 4121->4204 4122->4118 4124 402088 4122->4124 4125 401dc0 MessageBoxA 4123->4125 4153 40202b 4123->4153 4127 401ee0 6 API calls 4124->4127 4149 402240 4125->4149 4128 4020ae 4127->4128 4129 401ee0 6 API calls 4128->4129 4139 4020b6 4128->4139 4131 40216e 4129->4131 4130 4046b0 11 API calls 4132 4020bf 4130->4132 4135 401ee0 6 API calls 4131->4135 4131->4139 4136 4020f4 strcmp 4132->4136 4137 4020d9 4132->4137 4140 4021e0 malloc 4132->4140 4147 40219c 4132->4147 4133 401dc0 MessageBoxA 4134 402278 free 4133->4134 4134->4147 4135->4139 4136->4132 4151 402104 4136->4151 4137->4140 4138 401dc0 MessageBoxA 4138->4153 4139->4130 4139->4147 4142 402285 4140->4142 4143 4021f6 strcpy strcpy strcpy 4140->4143 4141 402112 strcmp 4141->4151 4144 401dc0 MessageBoxA 4142->4144 4145 401980 28 API calls 4143->4145 4144->4147 4145->4149 4146 4018c0 44 API calls 4146->4151 4147->4138 4148 401680 2 API calls 4148->4151 4149->4133 4150 402244 4149->4150 4150->3618 4151->4141 4151->4146 4151->4148 4152 4021b5 4151->4152 4151->4153 4154 401dc0 MessageBoxA 4152->4154 4153->3618 4155 4021c4 free 4154->4155 4155->4113 4157 4046c4 4156->4157 4158 4018e0 4156->4158 4176 4045e0 4157->4176 4158->4107 4162 404a00 4158->4162 4160 4046d0 4160->4158 4161 401dc0 MessageBoxA 4160->4161 4161->4158 4163 40a7e0 4162->4163 4164 404a0d strcpy strcpy 4163->4164 4165 404a4a 4164->4165 4166 404ad0 4165->4166 4168 404a6c strcpy strtok 4165->4168 4175 404ac0 _mkdir 4165->4175 4185 40a820 4165->4185 4167 40a820 6 API calls 4166->4167 4169 404adb 4167->4169 4168->4165 4168->4166 4170 404aee 4169->4170 4172 401e30 MessageBoxA 4169->4172 4173 402e60 7 API calls 4170->4173 4172->4170 4174 4018f8 htonl 4173->4174 4174->4101 4174->4102 4175->4165 4177 40a7e0 4176->4177 4178 4045f0 GetTempPathW 4177->4178 4179 405010 6 API calls 4178->4179 4181 40461f 4179->4181 4180 404642 _tempnam 4180->4181 4181->4180 4182 404680 strcpy free 4181->4182 4183 40465a free 4181->4183 4182->4160 4183->4180 4184 404667 4183->4184 4184->4160 4186 40a882 _stat64 4185->4186 4187 40a835 4185->4187 4189 40a891 4186->4189 4187->4186 4188 40a83d strlen 4187->4188 4188->4186 4192 40a84a 4188->4192 4189->4165 4190 40a98b 4190->4186 4191 40a990 malloc memcpy _stat64 4191->4189 4193 40a9cb free 4191->4193 4192->4186 4192->4190 4192->4191 4193->4189 4195 40ab20 4194->4195 4196 402a43 strlen 4195->4196 4197 402a70 4196->4197 4198 402a53 strrchr 4196->4198 4197->4198 4199 401fc8 4198->4199 4200 401ee0 4199->4200 4201 401f12 4200->4201 4202 40a820 6 API calls 4201->4202 4203 401f1f 4202->4203 4203->4118 4203->4120 4205 404b1e 4204->4205 4206 402e60 7 API calls 4205->4206 4207 404b33 4206->4207 4208 404a00 19 API calls 4207->4208 4210 404b41 4208->4210 4209 404bd0 4209->4123 4210->4209 4211 404b70 fread 4210->4211 4215 404bf0 4210->4215 4213 404be0 ferror 4211->4213 4214 404b8f fwrite ferror 4211->4214 4212 404bbe fclose fclose 4212->4209 4213->4210 4213->4215 4214->4210 4216 404bb1 clearerr 4214->4216 4215->4212 4216->4212 4218 404981 4217->4218 4223 40485c 4217->4223 4219 4049a0 strcat 4218->4219 4218->4223 4220 4049d5 4219->4220 4222 4049c2 4219->4222 4221 404710 8 API calls 4220->4221 4221->4223 4222->4223 4225 4044a0 Sleep 4222->4225 4223->3653 4445 409750 4446 40976f __iob_func fprintf 4445->4446 4505 401010 4506 401058 4505->4506 4507 40106b __set_app_type 4506->4507 4508 401075 4506->4508 4507->4508 4509 4010bb 4508->4509 4512 409740 4508->4512 4513 40acd0 __setusermatherr 4512->4513 4514 40a010 4522 40a031 4514->4522 4515 40a102 signal 4517 40a182 signal 4515->4517 4519 40a077 4515->4519 4516 40a0d7 signal 4518 40a0e9 signal 4516->4518 4516->4519 4520 40a1a0 signal 4517->4520 4525 40a07c 4518->4525 4519->4515 4519->4516 4521 40a156 signal 4519->4521 4519->4525 4520->4525 4521->4519 4523 40a1b4 signal 4521->4523 4522->4516 4522->4519 4524 40a061 signal 4522->4524 4522->4525 4523->4525 4524->4519 4524->4520 4566 4054d0 4567 4054e0 4566->4567 4568 405440 17 API calls 4567->4568 4569 4054f6 4568->4569 4570 40555d 4569->4570 4571 405440 17 API calls 4569->4571 4572 405511 4571->4572 4573 405570 free 4572->4573 4574 405519 4572->4574 4573->4570 4581 402a90 strrchr 4574->4581 4582 402ac0 strrchr 4581->4582 4583 402aae 4581->4583 4582->4583 4584 402ad5 4582->4584 4583->4582 4448 406260 4449 40626c 4448->4449 4450 406c52 4449->4450 4451 40628c memcpy 4449->4451 4451->4450 4452 401560 4453 401572 GetModuleHandleA 4452->4453 4455 401599 4452->4455 4454 401584 GetProcAddress 4453->4454 4453->4455 4454->4455 4456 407760 4457 407776 4456->4457 4459 40779b 4456->4459 4457->4459 4460 405680 4457->4460 4461 4056a2 4460->4461 4462 4056b0 memcpy 4461->4462 4463 405726 memcpy 4461->4463 4465 4056da 4461->4465 4464 405764 memcpy 4462->4464 4462->4465 4463->4459 4464->4459 4465->4459 4538 401520 4539 409460 5 API calls 4538->4539 4540 401536 4539->4540 4541 4011b0 46 API calls 4540->4541 4542 40153b 4541->4542 4585 4076e0 4586 4076f1 4585->4586 4587 407733 4585->4587 4586->4587 4588 407708 memcpy memcpy 4586->4588 4588->4587 4589 4060e0 4590 406123 4589->4590 4591 405680 3 API calls 4590->4591 4592 4060c0 4590->4592 4591->4592 4593 4023e0 4594 4023f6 4593->4594 4595 4016c0 21 API calls 4594->4595 4596 401680 2 API calls 4594->4596 4598 402530 4594->4598 4599 4024f2 free 4594->4599 4601 402510 4594->4601 4597 40245e strcpy 4595->4597 4596->4594 4597->4594 4600 401dc0 MessageBoxA 4598->4600 4599->4594 4600->4601 4620 401ea0 __iob_func vfprintf 4226 4014f0 4231 409460 4226->4231 4228 401506 4235 4011b0 4228->4235 4230 40150b 4232 4094a0 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 4231->4232 4233 409489 4231->4233 4234 4094fd 4232->4234 4233->4228 4234->4228 4236 4014b0 GetStartupInfoW 4235->4236 4237 4011e4 4235->4237 4244 401435 4236->4244 4238 40120c Sleep 4237->4238 4240 401221 4237->4240 4238->4237 4239 401485 _initterm 4239->4240 4240->4239 4240->4244 4245 401345 malloc 4240->4245 4246 40133f 4240->4246 4251 409a70 4240->4251 4242 40127c SetUnhandledExceptionFilter 4294 409f20 4242->4294 4244->4230 4245->4244 4247 401373 4245->4247 4246->4245 4247->4247 4248 4013a1 malloc memcpy 4247->4248 4248->4247 4249 4013c6 4248->4249 4249->4244 4250 40142a _cexit 4249->4250 4250->4244 4252 409a8b 4251->4252 4253 409aa0 4251->4253 4252->4242 4253->4252 4254 409c50 4253->4254 4256 409b3c 4253->4256 4254->4252 4259 409c59 4254->4259 4255 409d5c 4258 409890 27 API calls 4255->4258 4256->4252 4256->4255 4261 409cc1 4256->4261 4265 409b8b 4256->4265 4266 409c8d 4256->4266 4257 409900 27 API calls 4257->4259 4260 409d68 4258->4260 4259->4257 4262 409c88 4259->4262 4263 409de0 4260->4263 4264 409d7d 4260->4264 4272 409900 27 API calls 4261->4272 4267 409bc4 4262->4267 4268 409eb0 4263->4268 4269 409deb 4263->4269 4270 409d84 4264->4270 4271 409dff signal 4264->4271 4265->4256 4265->4267 4273 409d0f 4265->4273 4274 409cf6 4265->4274 4300 409900 4265->4300 4266->4274 4278 409900 27 API calls 4266->4278 4267->4252 4283 409c13 VirtualQuery 4267->4283 4284 409ec9 signal 4268->4284 4293 409dc1 4268->4293 4275 409ded 4269->4275 4281 409e30 4269->4281 4277 409e77 4270->4277 4270->4281 4282 409d95 4270->4282 4276 409e88 signal 4271->4276 4271->4293 4272->4274 4280 409900 27 API calls 4273->4280 4352 409890 4274->4352 4275->4271 4275->4277 4276->4277 4277->4242 4278->4261 4286 409d39 4280->4286 4281->4277 4285 409e3e signal 4281->4285 4282->4277 4289 409dab signal 4282->4289 4283->4286 4288 409c2c VirtualProtect 4283->4288 4284->4293 4290 409eea signal 4285->4290 4285->4293 4292 409890 27 API calls 4286->4292 4288->4267 4291 409f00 signal 4289->4291 4289->4293 4290->4293 4291->4293 4292->4255 4293->4242 4295 409f2f 4294->4295 4297 409f5c 4295->4297 4406 40a4d0 4295->4406 4297->4240 4298 409f57 4298->4297 4299 409ff0 RtlAddFunctionTable 4298->4299 4299->4297 4305 409924 4300->4305 4301 409a52 4302 409890 14 API calls 4301->4302 4314 409a61 4302->4314 4303 4099f9 memcpy 4303->4265 4305->4301 4305->4303 4307 409993 VirtualQuery 4305->4307 4306 409a8b 4306->4265 4308 4099c1 4307->4308 4309 409a35 4307->4309 4308->4303 4311 4099d5 VirtualProtect 4308->4311 4310 409890 14 API calls 4309->4310 4310->4301 4311->4303 4312 409a21 GetLastError 4311->4312 4313 409890 14 API calls 4312->4313 4313->4309 4314->4306 4318 409b3c 4314->4318 4319 409c50 4314->4319 4315 409d5c 4317 409890 14 API calls 4315->4317 4316 409900 14 API calls 4316->4319 4320 409d68 4317->4320 4318->4306 4318->4315 4321 409bc4 4318->4321 4324 409c8d 4318->4324 4330 409d0f 4318->4330 4331 409cf6 4318->4331 4341 409cc1 4318->4341 4345 409900 14 API calls 4318->4345 4319->4306 4319->4316 4319->4321 4322 409de0 4320->4322 4323 409d7d 4320->4323 4321->4306 4339 409c13 VirtualQuery 4321->4339 4325 409eb0 4322->4325 4326 409deb 4322->4326 4327 409d84 4323->4327 4328 409dff signal 4323->4328 4324->4331 4335 409900 14 API calls 4324->4335 4340 409ec9 signal 4325->4340 4348 409dc1 4325->4348 4332 409e30 4326->4332 4333 409ded 4326->4333 4327->4332 4338 409d95 4327->4338 4342 409e77 4327->4342 4334 409e88 signal 4328->4334 4328->4348 4329 409900 14 API calls 4329->4331 4337 409900 14 API calls 4330->4337 4336 409890 14 API calls 4331->4336 4332->4342 4343 409e3e signal 4332->4343 4333->4328 4333->4342 4334->4342 4335->4341 4336->4330 4344 409d39 4337->4344 4338->4342 4347 409dab signal 4338->4347 4339->4344 4346 409c2c VirtualProtect 4339->4346 4340->4348 4341->4329 4342->4265 4343->4348 4349 409eea signal 4343->4349 4351 409890 14 API calls 4344->4351 4345->4318 4346->4321 4347->4348 4350 409f00 signal 4347->4350 4348->4265 4349->4348 4350->4348 4351->4315 4353 4098b7 4352->4353 4354 4098d2 __iob_func 4353->4354 4355 4098eb 4354->4355 4356 409a52 4355->4356 4358 4099f9 memcpy 4355->4358 4361 409993 VirtualQuery 4355->4361 4357 409890 13 API calls 4356->4357 4368 409a61 4357->4368 4358->4273 4360 409a8b 4360->4273 4362 4099c1 4361->4362 4363 409a35 4361->4363 4362->4358 4365 4099d5 VirtualProtect 4362->4365 4364 409890 13 API calls 4363->4364 4364->4356 4365->4358 4366 409a21 GetLastError 4365->4366 4367 409890 13 API calls 4366->4367 4367->4363 4368->4360 4372 409c50 4368->4372 4383 409b3c 4368->4383 4369 409d5c 4371 409890 13 API calls 4369->4371 4370 409900 13 API calls 4370->4372 4373 409d68 4371->4373 4372->4360 4372->4370 4392 409bc4 4372->4392 4375 409de0 4373->4375 4376 409d7d 4373->4376 4374 409cc1 4382 409900 13 API calls 4374->4382 4378 409eb0 4375->4378 4379 409deb 4375->4379 4380 409d84 4376->4380 4381 409dff signal 4376->4381 4377 409c8d 4385 409cf6 4377->4385 4389 409900 13 API calls 4377->4389 4396 409ec9 signal 4378->4396 4405 409dc1 4378->4405 4386 409ded 4379->4386 4393 409e30 4379->4393 4388 409e77 4380->4388 4380->4393 4394 409d95 4380->4394 4387 409e88 signal 4381->4387 4381->4405 4382->4385 4383->4360 4383->4369 4383->4374 4383->4377 4384 409d0f 4383->4384 4383->4385 4383->4392 4399 409900 13 API calls 4383->4399 4391 409900 13 API calls 4384->4391 4390 409890 13 API calls 4385->4390 4386->4381 4386->4388 4387->4388 4388->4273 4389->4374 4390->4384 4398 409d39 4391->4398 4392->4360 4395 409c13 VirtualQuery 4392->4395 4393->4388 4397 409e3e signal 4393->4397 4394->4388 4401 409dab signal 4394->4401 4395->4398 4400 409c2c VirtualProtect 4395->4400 4396->4405 4402 409eea signal 4397->4402 4397->4405 4404 409890 13 API calls 4398->4404 4399->4383 4400->4392 4403 409f00 signal 4401->4403 4401->4405 4402->4405 4403->4405 4404->4369 4405->4273 4408 40a4df 4406->4408 4407 40a4f5 4407->4298 4408->4407 4409 40a54b strncmp 4408->4409 4409->4408 4410 40a560 4409->4410 4410->4298 4466 409670 4467 409682 4466->4467 4468 40a360 6 API calls 4467->4468 4469 409692 4467->4469 4468->4469 4470 405670 4471 4055a0 malloc 4470->4471 4472 405640 4471->4472 4474 4055d0 4471->4474 4473 405440 17 API calls 4473->4474 4474->4472 4474->4473 4475 405605 4474->4475 4476 405621 free 4475->4476 4477 405610 free 4475->4477 4477->4476 4477->4477 4549 402c30 4550 402c3b 4549->4550 4551 4051d0 6 API calls 4550->4551 4552 402c54 4551->4552

Executed Functions

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 38 4011b0-4011de 39 4014b0-4014b3 GetStartupInfoW 38->39 40 4011e4-401201 38->40 42 4014be-4014d7 call 40ac78 39->42 41 401214-40121f 40->41 43 401221-40122f 41->43 44 401203-401206 41->44 58 4014dc 42->58 48 401470-40147f call 40acc0 43->48 49 401235-401239 43->49 46 401459-40146a 44->46 47 40120c-401211 Sleep 44->47 46->48 46->49 47->41 54 401254-401256 48->54 55 401485-4014a0 _initterm 48->55 49->42 51 40123f-40124e 49->51 51->54 51->55 56 4014a6-4014ab 54->56 57 40125c-401269 54->57 55->56 55->57 56->57 59 401277-4012c7 call 409a70 SetUnhandledExceptionFilter call 409f20 call 40ad10 call 409860 57->59 60 40126b-401273 57->60 62 4014e4-4014e6 call 40abf8 58->62 72 401327-40132d 59->72 73 4012c9-4012cb 59->73 60->59 66 4014eb-4014ec 62->66 74 401345-40136d malloc 72->74 75 40132f-401339 72->75 76 4012e3-4012ea 73->76 74->58 81 401373 74->81 79 40144f 75->79 80 40133f 75->80 77 4012d0-4012db 76->77 78 4012ec-4012ef 76->78 82 4012df 77->82 83 4012f1-4012f4 78->83 84 4012fd-401304 78->84 79->46 80->74 85 401375-40137d 81->85 82->76 83->84 86 4012f6-4012fb 83->86 87 401320 84->87 88 401306 84->88 89 401383-401389 85->89 90 401445-40144a 85->90 86->82 87->72 92 401310-40131e 88->92 91 401390-40139b 89->91 93 4013a1-4013c4 malloc memcpy 90->93 91->91 94 40139d 91->94 92->87 92->92 93->85 95 4013c6-401407 call 409400 call 409430 93->95 94->93 99 40140c-40141a 95->99 99->62 100 401420-401428 99->100 101 401435-401444 100->101 102 40142a-40142f _cexit 100->102 102->101
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpy
  • String ID: 00B$@B
  • API String ID: 772431862-94132468
  • Opcode ID: b2708fece6160639612611be48a508221c92f7c8619a0abe98b3a3cd3c189257
  • Instruction ID: 02d4ef7bf9abf4dc9eecb0a6a9528f7eb5de959b5bc0b6034bd358f9810f6a2a
  • Opcode Fuzzy Hash: b2708fece6160639612611be48a508221c92f7c8619a0abe98b3a3cd3c189257
  • Instruction Fuzzy Hash: 7D818DB161074486EB24AF56E8507AA37A1F789B88F84803ADF09677B5DB7CC890C70D
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: fseek$freadhtonl$fcloseferrorftellmalloc
  • String ID: Could not allocate buffer for TOC.$Could not read from file.$Error on file$M$Z
  • API String ID: 3628870323-3376586924
  • Opcode ID: ee54a8bdcd690ec48c5bb988acd39da6788b9a76cba4ed0a4d546718aff2f7c5
  • Instruction ID: 1a0f8c7eb5a3349d1172e5008706957d23bb571def8de6a44beefd7df3b8bc39
  • Opcode Fuzzy Hash: ee54a8bdcd690ec48c5bb988acd39da6788b9a76cba4ed0a4d546718aff2f7c5
  • Instruction Fuzzy Hash: 7E51C23271061082EB20EB36D45076A3361AB85B98F444237EF5D677E9DB3CE9468B4A
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
    • Part of subcall function 00405110: malloc.MSVCRT(?,?,?,?,004015F3), ref: 0040512F
    • Part of subcall function 00405110: free.MSVCRT(?,?,?,?,004015F3), ref: 00405188
    • Part of subcall function 00405110: free.MSVCRT(?,?,?,?,004015F3), ref: 00405194
    • Part of subcall function 00402D90: GetModuleFileNameW.KERNEL32(00000000,?,004027A9), ref: 00402DB2
    • Part of subcall function 00402E30: strlen.MSVCRT ref: 00402E40
    • Part of subcall function 004044C0: GetEnvironmentVariableW.KERNEL32(00000000,004027CB), ref: 004044EC
    • Part of subcall function 004045A0: SetEnvironmentVariableW.KERNEL32 ref: 004045BB
    • Part of subcall function 004045A0: free.MSVCRT ref: 004045C6
  • SetDllDirectoryW.KERNEL32 ref: 00402853
  • free.MSVCRT ref: 0040285C
  • strcmp.MSVCRT ref: 00402867
  • strcpy.MSVCRT ref: 0040287D
  • strcpy.MSVCRT ref: 00402896
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: free$EnvironmentVariablestrcpy$DirectoryFileModuleNamemallocstrcmpstrlen
  • String ID: Cannot allocate memory for ARCHIVE_STATUS$Cannot open self %s or archive %s$_MEIPASS2
  • API String ID: 3780220379-3797517205
  • Opcode ID: 60098272d913a1bca15900f5aa99ba58fa40badda7778d2df3b77259d4ff7196
  • Instruction ID: 1a34446fb62ab914234271a75e7c04bf7d18d8dc9021569967f8716263540daa
  • Opcode Fuzzy Hash: 60098272d913a1bca15900f5aa99ba58fa40badda7778d2df3b77259d4ff7196
  • Instruction Fuzzy Hash: 63512BA631064081EE14FB3399593AA63516B85FC8F48813BEF09777D5DE7CC54A8349
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
  • htonl.WS2_32 ref: 00403AF5
  • strcpy.MSVCRT ref: 00403B1D
    • Part of subcall function 00402AF0: strlen.MSVCRT ref: 00402B38
    • Part of subcall function 00402AF0: strncpy.MSVCRT ref: 00402B46
    • Part of subcall function 00402AF0: strlen.MSVCRT ref: 00402B4E
    • Part of subcall function 00402AF0: strlen.MSVCRT ref: 00402B66
    • Part of subcall function 00402AF0: strcat.MSVCRT(00000000,?,00000000,00000000,004026AA), ref: 00402B78
    • Part of subcall function 00404C10: LoadLibraryW.KERNELBASE(?,?,?,00000000,00403B41), ref: 00404C31
    • Part of subcall function 00404C10: free.MSVCRT(?,?,?,00000000,00403B41), ref: 00404C3D
  • GetLastError.KERNEL32 ref: 00403B5A
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32(?,00000000,00000000,00403B50), ref: 00402ECA
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402EE6
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F02
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F1E
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F3A
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F56
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F72
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F8E
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402FAA
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402FC6
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402FE2
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402FFE
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 0040301A
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00403036
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00403052
Strings
  • Error loading Python DLL: %s (error code %d), xrefs: 00403B60
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: AddressProc$strlen$ErrorLastLibraryLoadfreehtonlstrcatstrcpystrncpy
  • String ID: Error loading Python DLL: %s (error code %d)
  • API String ID: 2560901278-3617465730
  • Opcode ID: 5b6c935b51482fd65b16711b14c3157d95b6f6abed367d443dc4d8ae6ffe335c
  • Instruction ID: 228b75ce0ba2da66a595aa3fe784c260f545e5121f672e22e4f491f5f4231035
  • Opcode Fuzzy Hash: 5b6c935b51482fd65b16711b14c3157d95b6f6abed367d443dc4d8ae6ffe335c
  • Instruction Fuzzy Hash: C501F77270174185DB10BB2AF8403D923A5AB98B88F488137EF0E573D2ED3CD549C344
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 191 401dc0-401e23 call 40aaf0 MessageBoxA
APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: Message
  • String ID: Fatal Error!
  • API String ID: 2030045667-3335022266
  • Opcode ID: 33d777d2b05197631e4a64d38a6ab7e51dd01ab1486459a1f58592d673ccfa7d
  • Instruction ID: 1de4722d78fe636dd98d70032e9a0c283c105082725c03b2c2cb4275dd18073d
  • Opcode Fuzzy Hash: 33d777d2b05197631e4a64d38a6ab7e51dd01ab1486459a1f58592d673ccfa7d
  • Instruction Fuzzy Hash: 06E092F2224BC082D7348B50F4507DA6324F398784FD4413A9B8953B59CF3CC265CA18
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 194 404c10-404c4b call 4051d0 LoadLibraryW free
APIs
    • Part of subcall function 004051D0: MultiByteToWideChar.KERNEL32(00000000,004027CB), ref: 00405203
  • LoadLibraryW.KERNELBASE(?,?,?,00000000,00403B41), ref: 00404C31
  • free.MSVCRT(?,?,?,00000000,00403B41), ref: 00404C3D
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: ByteCharLibraryLoadMultiWidefree
  • String ID:
  • API String ID: 3231889924-0
  • Opcode ID: 89c36ce7ca9d793478903834cc87af5a22948c9c2e08f0dd11472203b1b023f0
  • Instruction ID: d72214b5325e566235fa45bfe60a9f5e5854c31eaa48942dc04979b176a1bace
  • Opcode Fuzzy Hash: 89c36ce7ca9d793478903834cc87af5a22948c9c2e08f0dd11472203b1b023f0
  • Instruction Fuzzy Hash: 24D05E11F2217841EE9CB2772C5AB5651415B9DFC4D98D4395D0E4B740EC3C86860B00
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 197 401610-40162a fseek 198 401670-40167c 197->198 199 40162c-401641 call 40abc8 197->199 201 401646-401649 199->201 201->198 202 40164b-401668 201->202
APIs
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: fseek
  • String ID:
  • API String ID: 623662203-0
  • Opcode ID: 486d89127167c4ac469b1e802fcb1f3136cd4a3ff362a52484f7e635fc98f86c
  • Instruction ID: a8d1ea08ea68b52ca80a6828951ef16c64a0c5825662340968e7109f7e852a1f
  • Opcode Fuzzy Hash: 486d89127167c4ac469b1e802fcb1f3136cd4a3ff362a52484f7e635fc98f86c
  • Instruction Fuzzy Hash: 80F0A71271051442FB255BBBAD01BA91115A749BE8F884336EE2C673C4DA3DC9D6C714
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 203 402e60-402eaf call 4051d0 * 2 _wfopen
APIs
    • Part of subcall function 004051D0: MultiByteToWideChar.KERNEL32(00000000,004027CB), ref: 00405203
    • Part of subcall function 004051D0: MultiByteToWideChar.KERNEL32 ref: 00405235
    • Part of subcall function 004051D0: malloc.MSVCRT ref: 00405249
  • _wfopen.MSVCRT ref: 00402E9F
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: ByteCharMultiWide$_wfopenmalloc
  • String ID:
  • API String ID: 915931050-0
  • Opcode ID: 7dacb936e1a61a9335ef5fbae95ccc78902754a510eeade96030ee601571e1ea
  • Instruction ID: fe0ee881447e91f2452bb4e7b1d83b72c60d39a50e5e6907bc3c4f30e9d5e7ed
  • Opcode Fuzzy Hash: 7dacb936e1a61a9335ef5fbae95ccc78902754a510eeade96030ee601571e1ea
  • Instruction Fuzzy Hash: 41E07D6170481401FE246703BD0C79B93109BA5FC4F884031AE0D1FB88A83CC14B8B08
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 208 401c70-401c7f call 401c10 211 401ca1 208->211 212 401c81-401c84 call 401980 208->212 214 401ca6-401cab 211->214 215 401c89-401c8b 212->215 215->214 216 401c8d-401c93 215->216 216->211 217 401c95-401c9a fclose 216->217 217->211
APIs
    • Part of subcall function 00401C10: strcpy.MSVCRT(00000000,?,?,00401C7D), ref: 00401C27
    • Part of subcall function 00401C10: strcpy.MSVCRT(00000000,?,?,00401C7D), ref: 00401C44
    • Part of subcall function 00401C10: strcpy.MSVCRT ref: 00401C5D
    • Part of subcall function 00401980: fseek.MSVCRT ref: 0040199E
    • Part of subcall function 00401980: ftell.MSVCRT ref: 004019A6
    • Part of subcall function 00401980: htonl.WS2_32 ref: 004019D3
    • Part of subcall function 00401980: htonl.WS2_32 ref: 004019DD
    • Part of subcall function 00401980: fseek.MSVCRT ref: 004019E8
    • Part of subcall function 00401980: htonl.WS2_32 ref: 004019F0
    • Part of subcall function 00401980: malloc.MSVCRT ref: 004019F4
    • Part of subcall function 00401980: htonl.WS2_32 ref: 00401A0C
    • Part of subcall function 00401980: fread.MSVCRT ref: 00401A1D
    • Part of subcall function 00401980: htonl.WS2_32 ref: 00401A32
    • Part of subcall function 00401980: ferror.MSVCRT ref: 00401A40
    • Part of subcall function 00401980: fclose.MSVCRT ref: 00401A57
  • fclose.MSVCRT ref: 00401C95
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: htonl$strcpy$fclosefseek$ferrorfreadftellmalloc
  • String ID:
  • API String ID: 3587739394-0
  • Opcode ID: 4c711c57a34e2cf21c1e4d7a20afbe6f59ab514556367a06fc3587068a219ed9
  • Instruction ID: 58279ab67ea5789420f5e574a1042afffc297bebb55ace4ab52bd0580e816f1d
  • Opcode Fuzzy Hash: 4c711c57a34e2cf21c1e4d7a20afbe6f59ab514556367a06fc3587068a219ed9
  • Instruction Fuzzy Hash: F9D05E61B9530141FF2A6673982132622500F95BACF5C0237AE21AA3E2FA3CC4E04349
Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 240 402eb0-402ed6 GetProcAddress 241 4034a4-4034b0 call 401dc0 240->241 242 402edc-402ef2 GetProcAddress 240->242 244 4034ba-4034c6 call 401dc0 241->244 243 402ef8-402f0e GetProcAddress 242->243 242->244 246 4034d0-4034dc call 401dc0 243->246 247 402f14-402f2a GetProcAddress 243->247 244->246 251 4034e6-4034f2 call 401dc0 246->251 250 402f30-402f46 GetProcAddress 247->250 247->251 255 4034fc-403508 call 401dc0 250->255 256 402f4c-402f62 GetProcAddress 250->256 251->255 260 403512-40351e call 401dc0 255->260 256->260 261 402f68-402f7e GetProcAddress 256->261 264 403528-403534 call 401dc0 260->264 263 402f84-402f9a GetProcAddress 261->263 261->264 266 402fa0-402fb6 GetProcAddress 263->266 267 40353e-40354a call 401dc0 263->267 264->267 271 403554-403560 call 401dc0 266->271 272 402fbc-402fd2 GetProcAddress 266->272 267->271 277 40356a-403576 call 401dc0 271->277 276 402fd8-402fee GetProcAddress 272->276 272->277 280 403580-40358c call 401dc0 276->280 281 402ff4-40300a GetProcAddress 276->281 277->280 284 403596-4035a2 call 401dc0 280->284 283 403010-403026 GetProcAddress 281->283 281->284 287 4035ac-4035b8 call 401dc0 283->287 288 40302c-403042 GetProcAddress 283->288 284->287 302 4035c2-4035ce call 401dc0 287->302 292 4035d8-4035e4 call 401dc0 288->292 293 403048-40305e GetProcAddress 288->293 310 4035ee-4035fa call 401dc0 292->310 296 403064-403067 293->296 297 4037e8-4037f4 call 401dc0 293->297 300 403345-40335b GetProcAddress 296->300 301 40306d-403083 GetProcAddress 296->301 315 4037fe-40380a call 401dc0 297->315 300->301 305 403361-403372 call 401dc0 300->305 301->302 303 403089-40309f GetProcAddress 301->303 302->292 306 403604-403610 call 401dc0 303->306 307 4030a5-4030bb GetProcAddress 303->307 318 40333d-403344 305->318 325 40361a-403626 call 401dc0 306->325 307->310 312 4030c1-4030d7 GetProcAddress 307->312 310->306 320 403630-40363c call 401dc0 312->320 321 4030dd-4030f3 GetProcAddress 312->321 331 403814-403820 call 401dc0 315->331 334 403646-403652 call 401dc0 320->334 324 4030f9-40310f GetProcAddress 321->324 321->325 327 403115-40312b GetProcAddress 324->327 328 40365c-403668 call 401dc0 324->328 325->320 333 403131-403147 GetProcAddress 327->333 327->334 343 403672-40367e call 401dc0 328->343 350 40382a-403836 call 401dc0 331->350 339 403688-403694 call 401dc0 333->339 340 40314d-403163 GetProcAddress 333->340 334->328 359 40369e-4036aa call 401dc0 339->359 340->343 344 403169-40317f GetProcAddress 340->344 343->339 347 403185-40319b GetProcAddress 344->347 348 4036ca-4036d6 call 401dc0 344->348 353 4031a1-4031b7 GetProcAddress 347->353 354 4036b4-4036c0 call 401dc0 347->354 363 4036e0-4036ec call 401dc0 348->363 370 403840-40384c call 401dc0 350->370 358 4031bd-4031d3 GetProcAddress 353->358 353->359 354->348 358->363 364 4031d9-4031ef GetProcAddress 358->364 359->354 368 4036f6-403702 call 401dc0 363->368 367 4031f5-40320b GetProcAddress 364->367 364->368 372 403211-403227 GetProcAddress 367->372 373 40370c-403718 call 401dc0 367->373 368->373 391 403854-403860 call 401dc0 370->391 377 403722-40372e call 401dc0 372->377 378 40322d-403243 GetProcAddress 372->378 373->377 379 403738-403744 call 401dc0 377->379 378->379 380 403249-40325f GetProcAddress 378->380 385 40374e-40375a call 401dc0 379->385 384 403265-40327b GetProcAddress 380->384 380->385 384->315 389 403281-403284 384->389 399 403764-403770 call 401dc0 385->399 394 403374-40338a GetProcAddress 389->394 395 40328a-4032a0 GetProcAddress 389->395 406 403868-403877 call 401dc0 391->406 397 403390-4033a6 GetProcAddress 394->397 398 4037d2-4037de call 401dc0 394->398 395->399 400 4032a6-4032bc GetProcAddress 395->400 397->395 401 4033ac-4033bd call 401dc0 397->401 398->297 404 40377a-403786 call 401dc0 399->404 403 4032c2-4032d8 GetProcAddress 400->403 400->404 401->318 409 403790-40379c call 401dc0 403->409 410 4032de-4032f4 GetProcAddress 403->410 404->409 406->318 415 4037a6-4037b2 call 401dc0 409->415 410->415 416 4032fa-403310 GetProcAddress 410->416 422 4037bc-4037c8 call 401dc0 415->422 421 403316-40332c GetProcAddress 416->421 416->422 421->331 426 403332-403335 421->426 422->398 428 4033c2-4033d8 GetProcAddress 426->428 429 40333b 426->429 428->370 430 4033de-4033e1 428->430 429->318 431 403474-40348a GetProcAddress 430->431 432 4033e7-4033fd GetProcAddress 430->432 433 403490-40349f call 401dc0 431->433 434 403403-403419 GetProcAddress 431->434 432->406 432->434 433->318 434->350 436 40341f-403435 GetProcAddress 434->436 436->391 438 40343b-40343e 436->438 438->429 439 403444-40345a GetProcAddress 438->439 439->429 440 403460-40346f call 401dc0 439->440 440->318
APIs
Strings
  • PySys_SetArgvEx, xrefs: 004032A6
  • Cannot GetProcAddress for Py_SetProgramName, xrefs: 004035C2
  • PyString_FromFormat, xrefs: 00403390
  • Cannot GetProcAddress for Py_VerboseFlag, xrefs: 0040353E
  • _Py_char2wchar, xrefs: 004033E7
  • Cannot GetProcAddress for PySys_SetPath, xrefs: 004037BC
  • PyRun_SimpleString, xrefs: 00403265
  • Py_SetProgramName, xrefs: 0040306D
  • PyImport_ImportModule, xrefs: 004031A1
  • Cannot GetProcAddress for PyEval_InitThreads, xrefs: 00403688
  • Cannot GetProcAddress for PySys_SetObject, xrefs: 004037A6
  • Py_DecodeLocale, xrefs: 00403474
  • PySys_AddWarnOption, xrefs: 0040328A
  • Cannot GetProcAddress for Py_EndInterpreter, xrefs: 00403580
  • Cannot GetProcAddress for Py_DecodeLocale, xrefs: 00403490
  • PyObject_SetAttrString, xrefs: 00403249
  • PyUnicode_FromFormat, xrefs: 00403403
  • PyModule_GetDict, xrefs: 00403211
  • Cannot GetProcAddress for Py_IncRef, xrefs: 004035AC
  • Py_EndInterpreter, xrefs: 00402FD8
  • PyEval_AcquireThread, xrefs: 00403115
  • Py_OptimizeFlag, xrefs: 00402F68
  • Cannot GetProcAddress for PyErr_Clear, xrefs: 00403630
  • Cannot GetProcAddress for PyImport_ExecCodeModule, xrefs: 004036B4
  • Cannot GetProcAddress for _Py_char2wchar, xrefs: 00403868
  • Py_BuildValue, xrefs: 00402FA0
  • PyDict_GetItemString, xrefs: 004030A5
  • Cannot GetProcAddress for PyUnicode_Decode, xrefs: 00403854
  • Py_IncRef, xrefs: 00403010
  • Cannot GetProcAddress for PyRun_SimpleString, xrefs: 004037FE
  • PySys_SetPath, xrefs: 004032FA
  • Cannot GetProcAddress for PyObject_SetAttrString, xrefs: 0040374E
  • Cannot GetProcAddress for Py_DecRef, xrefs: 0040356A
  • Cannot GetProcAddress for PyString_FromFormat, xrefs: 004033AC
  • Py_DecRef, xrefs: 00402FBC
  • PySys_GetObject, xrefs: 004032C2
  • Cannot GetProcAddress for Py_IgnoreEnvironmentFlag, xrefs: 004034E6
  • PyEval_ReleaseThread, xrefs: 0040314D
  • Py_NoUserSiteDirectory, xrefs: 00402F4C
  • Cannot GetProcAddress for PyThreadState_Swap, xrefs: 00403814
  • Py_FrozenFlag, xrefs: 00402EF8
  • Py_Initialize, xrefs: 0040302C
  • PyErr_Print, xrefs: 004030F9
  • Cannot GetProcAddress for Py_FileSystemDefaultEncoding, xrefs: 004034BA
  • PyImport_AddModule, xrefs: 00403169
  • Cannot GetProcAddress for PyEval_ReleaseThread, xrefs: 00403672
  • Py_SetPythonHome, xrefs: 00403089
  • Cannot GetProcAddress for Py_Finalize, xrefs: 00403596
  • Cannot GetProcAddress for Py_Initialize, xrefs: 004035D8
  • Cannot GetProcAddress for Py_SetPath, xrefs: 00403361
  • PyImport_ExecCodeModule, xrefs: 00403185
  • PyObject_CallFunction, xrefs: 0040322D
  • Cannot GetProcAddress for Py_NewInterpreter, xrefs: 004037E8
  • Py_VerboseFlag, xrefs: 00402F84
  • Cannot GetProcAddress for PyErr_Print, xrefs: 0040365C
  • Py_IgnoreEnvironmentFlag, xrefs: 00402F14
  • Cannot GetProcAddress for Py_NoUserSiteDirectory, xrefs: 00403512
  • Cannot GetProcAddress for PyImport_AddModule, xrefs: 004036CA
  • PyList_Append, xrefs: 004031BD
  • PyList_New, xrefs: 004031D9
  • PyUnicode_DecodeFSDefault, xrefs: 00403444
  • Cannot GetProcAddress for PySys_SetArgvEx, xrefs: 0040377A
  • Py_DontWriteBytecodeFlag, xrefs: 00402EC3
  • Cannot GetProcAddress for PySys_AddWarnOption, xrefs: 00403764
  • PyUnicode_FromString, xrefs: 004033C2
  • Cannot GetProcAddress for PyLong_AsLong, xrefs: 0040370C
  • Cannot GetProcAddress for PyDict_GetItemString, xrefs: 004035EE
  • PyErr_Clear, xrefs: 004030C1
  • Cannot GetProcAddress for Py_SetPythonHome, xrefs: 00403604
  • Cannot GetProcAddress for PyUnicode_DecodeFSDefault, xrefs: 00403460
  • Cannot GetProcAddress for PyEval_AcquireThread, xrefs: 00403646
  • Cannot GetProcAddress for PyUnicode_FromFormat, xrefs: 0040382A
  • Py_SetPath, xrefs: 00403345
  • Cannot GetProcAddress for Py_NoSiteFlag, xrefs: 004034FC
  • Cannot GetProcAddress for PyModule_GetDict, xrefs: 00403722
  • Cannot GetProcAddress for PyImport_ImportModule, xrefs: 0040369E
  • Cannot GetProcAddress for PyObject_CallFunction, xrefs: 00403738
  • PyLong_AsLong, xrefs: 004031F5
  • PyThreadState_Swap, xrefs: 00403316
  • Py_NoSiteFlag, xrefs: 00402F30
  • Cannot GetProcAddress for Py_BuildValue, xrefs: 00403554
  • PyUnicode_Decode, xrefs: 0040341F
  • PySys_SetObject, xrefs: 004032DE
  • Cannot GetProcAddress for PyUnicode_FromString, xrefs: 00403840
  • Py_Finalize, xrefs: 00402FF4
  • Cannot GetProcAddress for PySys_GetObject, xrefs: 00403790
  • Cannot GetProcAddress for PyErr_Occurred, xrefs: 0040361A
  • PyEval_InitThreads, xrefs: 00403131
  • PyString_FromString, xrefs: 00403374
  • Py_FileSystemDefaultEncoding, xrefs: 00402EDC
  • Py_NewInterpreter, xrefs: 00403048
  • PyErr_Occurred, xrefs: 004030DD
  • Cannot GetProcAddress for Py_OptimizeFlag, xrefs: 00403528
  • Cannot GetProcAddress for PyList_Append, xrefs: 004036E0
  • Cannot GetProcAddress for PyString_FromString, xrefs: 004037D2
  • Cannot GetProcAddress for Py_FrozenFlag, xrefs: 004034D0
  • Cannot GetProcAddress for PyList_New, xrefs: 004036F6
  • Cannot GetProcAddress for Py_DontWriteBytecodeFlag, xrefs: 004034A4
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: AddressProc$Message
  • String ID: Cannot GetProcAddress for PyDict_GetItemString$Cannot GetProcAddress for PyErr_Clear$Cannot GetProcAddress for PyErr_Occurred$Cannot GetProcAddress for PyErr_Print$Cannot GetProcAddress for PyEval_AcquireThread$Cannot GetProcAddress for PyEval_InitThreads$Cannot GetProcAddress for PyEval_ReleaseThread$Cannot GetProcAddress for PyImport_AddModule$Cannot GetProcAddress for PyImport_ExecCodeModule$Cannot GetProcAddress for PyImport_ImportModule$Cannot GetProcAddress for PyList_Append$Cannot GetProcAddress for PyList_New$Cannot GetProcAddress for PyLong_AsLong$Cannot GetProcAddress for PyModule_GetDict$Cannot GetProcAddress for PyObject_CallFunction$Cannot GetProcAddress for PyObject_SetAttrString$Cannot GetProcAddress for PyRun_SimpleString$Cannot GetProcAddress for PyString_FromFormat$Cannot GetProcAddress for PyString_FromString$Cannot GetProcAddress for PySys_AddWarnOption$Cannot GetProcAddress for PySys_GetObject$Cannot GetProcAddress for PySys_SetArgvEx$Cannot GetProcAddress for PySys_SetObject$Cannot GetProcAddress for PySys_SetPath$Cannot GetProcAddress for PyThreadState_Swap$Cannot GetProcAddress for PyUnicode_Decode$Cannot GetProcAddress for PyUnicode_DecodeFSDefault$Cannot GetProcAddress for PyUnicode_FromFormat$Cannot GetProcAddress for PyUnicode_FromString$Cannot GetProcAddress for Py_BuildValue$Cannot GetProcAddress for Py_DecRef$Cannot GetProcAddress for Py_DecodeLocale$Cannot GetProcAddress for Py_DontWriteBytecodeFlag$Cannot GetProcAddress for Py_EndInterpreter$Cannot GetProcAddress for Py_FileSystemDefaultEncoding$Cannot GetProcAddress for Py_Finalize$Cannot GetProcAddress for Py_FrozenFlag$Cannot GetProcAddress for Py_IgnoreEnvironmentFlag$Cannot GetProcAddress for Py_IncRef$Cannot GetProcAddress for Py_Initialize$Cannot GetProcAddress for Py_NewInterpreter$Cannot GetProcAddress for Py_NoSiteFlag$Cannot GetProcAddress for Py_NoUserSiteDirectory$Cannot GetProcAddress for Py_OptimizeFlag$Cannot GetProcAddress for Py_SetPath$Cannot GetProcAddress for Py_SetProgramName$Cannot GetProcAddress for Py_SetPythonHome$Cannot GetProcAddress for Py_VerboseFlag$Cannot GetProcAddress for _Py_char2wchar$PyDict_GetItemString$PyErr_Clear$PyErr_Occurred$PyErr_Print$PyEval_AcquireThread$PyEval_InitThreads$PyEval_ReleaseThread$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyList_New$PyLong_AsLong$PyModule_GetDict$PyObject_CallFunction$PyObject_SetAttrString$PyRun_SimpleString$PyString_FromFormat$PyString_FromString$PySys_AddWarnOption$PySys_GetObject$PySys_SetArgvEx$PySys_SetObject$PySys_SetPath$PyThreadState_Swap$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$Py_BuildValue$Py_DecRef$Py_DecodeLocale$Py_DontWriteBytecodeFlag$Py_EndInterpreter$Py_FileSystemDefaultEncoding$Py_Finalize$Py_FrozenFlag$Py_IgnoreEnvironmentFlag$Py_IncRef$Py_Initialize$Py_NewInterpreter$Py_NoSiteFlag$Py_NoUserSiteDirectory$Py_OptimizeFlag$Py_SetPath$Py_SetProgramName$Py_SetPythonHome$Py_VerboseFlag$_Py_char2wchar
  • API String ID: 1380239581-2198451308
  • Opcode ID: fb014d4c5391707dad4b3f9c9261297eaea39e8c3c2cbaf4adf01f61ca117676
  • Instruction ID: 8dfd83f2616864123437410b8487f2ba804226521f95436f32023aec6ace528e
  • Opcode Fuzzy Hash: fb014d4c5391707dad4b3f9c9261297eaea39e8c3c2cbaf4adf01f61ca117676
  • Instruction Fuzzy Hash: 7E226AB4206A41D1ED10EF29EC9036427946F49365F944B37AA2D663F0EF3CDA46C31D
Uniqueness

Uniqueness Score: -1.00%

APIs
    • Part of subcall function 004051D0: MultiByteToWideChar.KERNEL32(00000000,004027CB), ref: 00405203
  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,?,004026B5), ref: 004052C1
  • GetProcAddress.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,?,004026B5), ref: 004052DB
  • GetProcAddress.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,00000000,?,004026B5), ref: 004052EA
  • free.MSVCRT ref: 0040532B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: AddressProc$ByteCharLibraryLoadMultiWidefree
  • String ID: 8$ActivateActCtx$CreateActCtxW$kernel32
  • API String ID: 2285496191-1148279423
  • Opcode ID: fd5f08d5525b70dff067efeb75d026e4710781ed2c694377e28847c4213a9b2e
  • Instruction ID: a680f6fe32f0920bd1c2e83c73dc6e642f0ee386b60e29c3bea1a69af89bf4ce
  • Opcode Fuzzy Hash: fd5f08d5525b70dff067efeb75d026e4710781ed2c694377e28847c4213a9b2e
  • Instruction Fuzzy Hash: BF11E662B1250085EE26AB66FC057A62290AB48BF4FCC43769E2C477C0FE7CC586C70C
Uniqueness

Uniqueness Score: -1.00%

APIs
  • RtlCaptureContext.KERNEL32 ref: 00409554
  • RtlLookupFunctionEntry.KERNEL32 ref: 0040956B
  • RtlVirtualUnwind.KERNEL32 ref: 004095AD
  • SetUnhandledExceptionFilter.KERNEL32 ref: 004095F4
  • UnhandledExceptionFilter.KERNEL32 ref: 00409601
  • GetCurrentProcess.KERNEL32 ref: 00409607
  • TerminateProcess.KERNEL32 ref: 00409615
  • abort.MSVCRT ref: 0040961B
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
  • String ID:
  • API String ID: 4278921479-0
  • Opcode ID: ee135981cafe90e31f19b6786b008bc7e73b3e87d9d2b99d56b9f578b6b87718
  • Instruction ID: 47200af4bb5449d80b7fc02016a6f677fefbf6ab8d94ba30f08416ff6808f3e5
  • Opcode Fuzzy Hash: ee135981cafe90e31f19b6786b008bc7e73b3e87d9d2b99d56b9f578b6b87718
  • Instruction Fuzzy Hash: 6E21C2B5711B049AEB009F61E88438A37E8F748B88F94012AEF5E57B26EF78C544C748
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetSystemTimeAsFileTime.KERNEL32 ref: 004094A5
  • GetCurrentProcessId.KERNEL32 ref: 004094B0
  • GetCurrentThreadId.KERNEL32 ref: 004094B8
  • GetTickCount.KERNEL32 ref: 004094C0
  • QueryPerformanceCounter.KERNEL32 ref: 004094CD
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
  • String ID:
  • API String ID: 1445889803-0
  • Opcode ID: f5d902ffdea86f1e178a99578a2a8104af58eae437ec40a89e13fbfe0cf65f0b
  • Instruction ID: 0771ba78ac2fd6e5c4d8d3e78c67d00148b405db38c011d21c7d55e00469502f
  • Opcode Fuzzy Hash: f5d902ffdea86f1e178a99578a2a8104af58eae437ec40a89e13fbfe0cf65f0b
  • Instruction Fuzzy Hash: ED11A377716A5482F7115B25FC04356A260B788BE0F485231EFAD53BE4EB3CC98AC348
Uniqueness

Uniqueness Score: -1.00%

Strings
  • invalid literal/lengths set, xrefs: 0040759D
  • invalid bit length repeat, xrefs: 004075BA
  • invalid code -- missing end-of-block, xrefs: 00407412
  • invalid distances set, xrefs: 00407628
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID:
  • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid distances set$invalid literal/lengths set
  • API String ID: 0-1153561608
  • Opcode ID: 3220221b92dc351202937ca47b83d099d03d7d5f0aaeb69cf35b2658a33fe792
  • Instruction ID: 1a54aa231d7212314b5928fb2d10becddcc084b3157767f03773e486eaa88400
  • Opcode Fuzzy Hash: 3220221b92dc351202937ca47b83d099d03d7d5f0aaeb69cf35b2658a33fe792
  • Instruction Fuzzy Hash: 50D11573B086948BD7548F28D44876E7BEAF784340F06813ADB9AA3784EB7DD944DB04
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetLastError.KERNEL32 ref: 00404E34
  • FormatMessageA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,004050F5), ref: 00404E6B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: ErrorFormatLastMessage
  • String ID: FormatMessage failed.
  • API String ID: 3479602957-2374551320
  • Opcode ID: 2a711af880fc071f516ad20a5d621d9cf26b0c80b7b9657261a9cc38f3d4444f
  • Instruction ID: 42416e026329ca0fca50158094ca8a84fd3a4f44ec36ea3078e97e36bb3c6124
  • Opcode Fuzzy Hash: 2a711af880fc071f516ad20a5d621d9cf26b0c80b7b9657261a9cc38f3d4444f
  • Instruction Fuzzy Hash: 82E09A72704F0481EB10AB08F48474AB7B1F788788F904118EB8D03B38DF3DC1488B00
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID:
  • String ID: incorrect header check$invalid window size$unknown compression method
  • API String ID: 0-1186847913
  • Opcode ID: 184119f095f3ad7b1510e4504e269edca52182bfb9c765f5d20eb1fe37e904ad
  • Instruction ID: c7ca3c1955c31c1bea6bbe6de506d5c5799a482c05028099f11ec33d496bbb8f
  • Opcode Fuzzy Hash: 184119f095f3ad7b1510e4504e269edca52182bfb9c765f5d20eb1fe37e904ad
  • Instruction Fuzzy Hash: BE41E473704A848BE7649F28D44872B3AA9F784340F16823AEB5AE77C0D77DD845DB09
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: memcpy
  • String ID: header crc mismatch
  • API String ID: 3510742995-1313727592
  • Opcode ID: b2e473fea2c7138b3d8a1a7930c1d0a645f13e2a0c2724abd31b46377fc26fe6
  • Instruction ID: b612ce39462d0c667122e9ba7535e7ccec30cb76ee492382c9e6b593097b8e7f
  • Opcode Fuzzy Hash: b2e473fea2c7138b3d8a1a7930c1d0a645f13e2a0c2724abd31b46377fc26fe6
  • Instruction Fuzzy Hash: 8AD1D0736087848AD760DF15D048B2B7FAAFB84780F16852ADF8A67784CB3ED855CB44
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID:
  • String ID: invalid block type
  • API String ID: 0-1830746294
  • Opcode ID: b215b12c7d3747ab1e1605bce89ca2e9de8d6c88f0aa98ec5e8d38f02b624ed2
  • Instruction ID: 0f35900be8259ea93b3ff80a5c26da119c9c4e03fa620f67ad5ce1e252ef4264
  • Opcode Fuzzy Hash: b215b12c7d3747ab1e1605bce89ca2e9de8d6c88f0aa98ec5e8d38f02b624ed2
  • Instruction Fuzzy Hash: 4051BFB3A08AD48BE764CF19D84872F7AA9F740340F12813ADA5AA7784D77ED844DB04
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: 0eea75c0fd7fc9ff7e5c776afdc5c8de9d7ec28fdde786f8b921576d9a9802a0
  • Instruction ID: 731322a3e6313fd2a85ddd05f6e677abdae86e015a9df5870098fa396d7c9c20
  • Opcode Fuzzy Hash: 0eea75c0fd7fc9ff7e5c776afdc5c8de9d7ec28fdde786f8b921576d9a9802a0
  • Instruction Fuzzy Hash: 58D14673A0869086C725CF28D54076FBBA1F798B84F04C126EBC967B88EB7CD945CB45
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: fb8fdb3f5e2d28a69571c1236145325dbe6213883278acc331d4626d7a08023e
  • Instruction ID: 9cbcc23e7f41790bd0d8d84b2f2c1182faff96f263e34d27328aff44ff540404
  • Opcode Fuzzy Hash: fb8fdb3f5e2d28a69571c1236145325dbe6213883278acc331d4626d7a08023e
  • Instruction Fuzzy Hash: C07183B32100908BD79AEF6DD195B7A33E0F31C34EFC5541AEB8397282CA38A915DB15
Uniqueness

Uniqueness Score: -1.00%

Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID:
  • String ID:
  • API String ID:
  • Opcode ID: cf6c7c5eaac56cc126fccfea5c0d0902ac45e9d713d7307b0515494d659b9d66
  • Instruction ID: fa73001aa4017c2f775b6673bcefdf0868a0bcac00e1272774f9553c57b32e19
  • Opcode Fuzzy Hash: cf6c7c5eaac56cc126fccfea5c0d0902ac45e9d713d7307b0515494d659b9d66
  • Instruction Fuzzy Hash: DF41F573654A5887FB29DF689A507AB6310BB20744F989139EEC2A7380CF39DD52C604
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

  • Executed
  • Not Executed
control_flow_graph 443 403d60-403d81 444 403db0-403dbf call 4051d0 443->444 445 403d83-403d92 call 405590 443->445 451 40404b-404057 call 401dc0 444->451 452 403dc5-403dcc 444->452 450 403d98-403da4 call 403890 445->450 445->451 455 403dd5-403de5 450->455 462 404061-40406d call 401dc0 451->462 452->455 458 403ed0-403ef1 strlen strncpy 455->458 459 403deb-403dfd strlen strncpy 455->459 461 403ef4-403f09 458->461 460 403e02-403e1a call 405590 459->460 469 403e20-403e27 call 403880 460->469 470 4040ac-4040b8 call 401dc0 460->470 461->461 464 403f0b-403f90 strlen strncat call 4051d0 461->464 474 404072-404079 call 401dc0 462->474 472 4040c2-4040ce call 401dc0 464->472 473 403f96-403faa 464->473 479 403e2c-403e41 call 4038d0 469->479 470->472 473->460 485 403fb0-403fc8 call 4051d0 473->485 483 40407e 474->483 494 404020-404030 479->494 495 403e47-403e63 call 405590 479->495 488 404088-404099 call 401dc0 483->488 485->488 492 403fce-403fde 485->492 496 403ec8-403ecf 488->496 492->479 503 404035-404041 call 401dc0 494->503 495->462 501 403e69-403e86 call 4038a0 495->501 506 403fe3 501->506 507 403e8c 501->507 503->451 510 403fe3 call 405380 506->510 509 403e8c call 405660 507->509 511 403e91-403e97 509->511 512 403fe8-403fee 510->512 511->474 513 403e9d-403ec2 call 4038b0 free 511->513 514 403ff4-404011 call 403d10 512->514 515 40409e-4040aa call 401dc0 512->515 513->496 513->503 514->494 515->483
APIs
Strings
  • Error detected starting Python VM., xrefs: 00404035
  • Failed to convert argv to mbcs, xrefs: 00404072
  • @AA, xrefs: 00403E34
  • h@A, xrefs: 00404020
  • Failed to convert pyhome to ANSI (invalid multibyte string), xrefs: 004040AC
  • Failed to convert argv to wchar_t, xrefs: 0040409E
  • Failed to convert pyhome to wchar_t, xrefs: 00404088
  • AA, xrefs: 00403FCE
  • Failed to convert pypath to ANSI (invalid multibyte string), xrefs: 00404061
  • Failed to convert pypath to wchar_t, xrefs: 004040C2
  • 0AA, xrefs: 00403F96
  • (AA, xrefs: 00403DC5
  • rary.zip, xrefs: 00403F46
  • base_lib, xrefs: 00403F22
  • Failed to convert progname to wchar_t, xrefs: 0040404B
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: strlen$strncpy$freestrncat
  • String ID: AA$(AA$0AA$@AA$Error detected starting Python VM.$Failed to convert argv to mbcs$Failed to convert argv to wchar_t$Failed to convert progname to wchar_t$Failed to convert pyhome to ANSI (invalid multibyte string)$Failed to convert pyhome to wchar_t$Failed to convert pypath to ANSI (invalid multibyte string)$Failed to convert pypath to wchar_t$base_lib$h@A$rary.zip
  • API String ID: 536656556-818343584
  • Opcode ID: d5f2173b25fe7f5f70ebea8929ea3124acc100606b4b01b30ecca26721d3e31f
  • Instruction ID: c625468cfb4a8e481f31caaa57f6815e4d34c0df173a7ae5a93bd890bf5fc424
  • Opcode Fuzzy Hash: d5f2173b25fe7f5f70ebea8929ea3124acc100606b4b01b30ecca26721d3e31f
  • Instruction Fuzzy Hash: B171A3B1310A4091EA04EF12D9543AA3361BB88B85F84453BEF1D677E1DF3CDA89C349
Uniqueness

Uniqueness Score: -1.00%

Control-flow Graph

APIs
Strings
  • Error %d from inflate: %s, xrefs: 0040189D
  • Could not read from file, xrefs: 00401840
  • Cannot open archive file, xrefs: 0040181F
  • Error allocating decompression buffer, xrefs: 004018AD
  • Error decompressing %s, xrefs: 00401887
  • Could not allocate read buffer, xrefs: 00401853
  • 1.2.8, xrefs: 004017B5
  • Error %d from inflateInit: %s, xrefs: 0040186B
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: htonl$malloc$fclosefreadfreefseek
  • String ID: 1.2.8$Cannot open archive file$Could not allocate read buffer$Could not read from file$Error %d from inflate: %s$Error %d from inflateInit: %s$Error allocating decompression buffer$Error decompressing %s
  • API String ID: 3942693450-953140909
  • Opcode ID: 7a8ce59a4c41f89970d6c75fb60a16d79db7906ccda7b1dba04f56491d99859c
  • Instruction ID: 20cc02ab2b35365fdbfffac1aebc3bced60fccd4bc7bc255e41d6d4489382de3
  • Opcode Fuzzy Hash: 7a8ce59a4c41f89970d6c75fb60a16d79db7906ccda7b1dba04f56491d99859c
  • Instruction Fuzzy Hash: D241CF3271064086DB10AB62E85135E7361EB85BA8F84833AAF6D677E1DF3CD502C749
Uniqueness

Uniqueness Score: -1.00%

APIs
  • strcpy.MSVCRT(?,?,?,00000000,?,?,?,0040239C), ref: 00401F65
  • strtok.MSVCRT ref: 00401F74
  • strcpy.MSVCRT(?,?,?,00000000,?,?,?,0040239C), ref: 00401F7F
  • strtok.MSVCRT ref: 00401F8D
  • strcpy.MSVCRT(?,?,?,00000000,?,?,?,0040239C), ref: 00401F98
    • Part of subcall function 00402A20: strlen.MSVCRT ref: 00402A2F
    • Part of subcall function 00402A20: strlen.MSVCRT ref: 00402A46
    • Part of subcall function 00402A20: strrchr.MSVCRT ref: 00402A5B
  • malloc.MSVCRT ref: 004021E5
  • strcpy.MSVCRT ref: 004021FD
  • strcpy.MSVCRT ref: 00402214
  • strcpy.MSVCRT ref: 00402227
    • Part of subcall function 00404B10: fread.MSVCRT ref: 00404B81
    • Part of subcall function 00404B10: fwrite.MSVCRT ref: 00404BA0
    • Part of subcall function 00404B10: ferror.MSVCRT ref: 00404BA8
    • Part of subcall function 00404B10: clearerr.MSVCRT ref: 00404BB9
    • Part of subcall function 00404B10: fclose.MSVCRT ref: 00404BC1
    • Part of subcall function 00404B10: fclose.MSVCRT ref: 00404BC9
  • free.MSVCRT ref: 0040227B
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: strcpy$fclosestrlenstrtok$clearerrferrorfreadfreefwritemallocstrrchr
  • String ID: %s%s%s$%s%s%s%s%s$%s%s%s%s%s%s%s$%s%s%s.exe$%s%s%s.pkg$Archive not found: %s$Error allocating memory for status$Error coping %s$Error extracting %s$Error openning archive %s
  • API String ID: 372942807-4189782288
  • Opcode ID: 489925a531942dbe611d30a44a167c50af9159f7a705e225feaefcf2fd757542
  • Instruction ID: ec2efba8886cc95a9b353880751b016682208578bafc799568ddc5e9a287755d
  • Opcode Fuzzy Hash: 489925a531942dbe611d30a44a167c50af9159f7a705e225feaefcf2fd757542
  • Instruction Fuzzy Hash: 6071AF71300B41D0DA20EB62A98839B6365EB457C8F84463BAF5D677E9EF7CC50AC309
Uniqueness

Uniqueness Score: -1.00%

Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID:
  • String ID: Failed to convert Wflag %s using mbstowcs (invalid multibyte string)$pAA$pyi-$xAA
  • API String ID: 0-3863319666
  • Opcode ID: 153354e6e5fe1837dd78e494b68cc847fbbf20b6aca904f366718dc2ad80831e
  • Instruction ID: 9a1ddf0f7731ebd1aff828f28c65d4010e5f9e2d3add2465906b6942aa4bedb4
  • Opcode Fuzzy Hash: 153354e6e5fe1837dd78e494b68cc847fbbf20b6aca904f366718dc2ad80831e
  • Instruction Fuzzy Hash: 64517FB6300B0485EB01DF26E8443993B65F784B94F858427EE4D273E1DEBDC682C749
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • Error creating child process!, xrefs: 00404DD8
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: signal$__iob_func_get_osfhandle$Process_fileno$ByteCharCodeCommandCreateExitInfoLineMessageMultiObjectSingleStartupWaitWide
  • String ID: Error creating child process!
  • API String ID: 1132155251-874417334
  • Opcode ID: 2194e17c767d7d1e903bec482ca4616e1714a36ad0bc2c1fd10dee62238db473
  • Instruction ID: ad3f4fe60c704a4c0dc35a928c030135e327ee57ca6a6662be0cc880c594b894
  • Opcode Fuzzy Hash: 2194e17c767d7d1e903bec482ca4616e1714a36ad0bc2c1fd10dee62238db473
  • Instruction Fuzzy Hash: AB416D72604B8086E720AB61F8143DEB365F7C4788F84412AEB8957BD9DF7DC489CB45
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: freehtonlstrlen
  • String ID: %U?%d$%s?%d$0@A$@@A$Failed to append to sys.path$Failed to convert %s to ShortFileName$H@A$Installing PYZ: Could not get sys.path$`AA$path$strict$utf-8$x@A
  • API String ID: 3015487287-2523712903
  • Opcode ID: 5d732032b26f79e05fb9afd97506af8a4183f4094b58d356c0d2bf75857dadb9
  • Instruction ID: ab721bec7f9f623facd485a71d42d002c2b0c2e2b6a87b54647216b4cfe9a86d
  • Opcode Fuzzy Hash: 5d732032b26f79e05fb9afd97506af8a4183f4094b58d356c0d2bf75857dadb9
  • Instruction Fuzzy Hash: 49315EB5301A0581EA109F6AEC943AA2361AB89FD0F445136EF1E973F0DE3CC489C309
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: freehtonl$strlen
  • String ID: 0@A$Failed to encode _MEIPASS as ANSI.$Failed to get _MEIPASS as PyObject.$_MEIPASS$loads$marshal$mod is NULL - %s$p@A$strict$utf-8
  • API String ID: 3906103995-3737714994
  • Opcode ID: 465255bdcfc1e768698470395e69446301f7c4fee9bd4f4edbb8c6e63271a74a
  • Instruction ID: e808acb8077d40cc738ee50979d7b6a897450dfa48867cf4ad32c6fecf37c204
  • Opcode Fuzzy Hash: 465255bdcfc1e768698470395e69446301f7c4fee9bd4f4edbb8c6e63271a74a
  • Instruction Fuzzy Hash: 1B514CB5701A4595EA04AF66E81479A3360BBC8BD4F848036EF1E673A0DE3CD58AC309
Uniqueness

Uniqueness Score: -1.00%

APIs
  • VirtualQuery.KERNEL32(?,?,?,?,00420CB8,004208F0,00420CB0,00007FFE2167ADA0,?,?,00000001,0040127C), ref: 00409C20
  • VirtualProtect.KERNEL32(?,?,?,?,00420CB8,004208F0,00420CB0,00007FFE2167ADA0,?,?,00000001,0040127C), ref: 00409C42
Strings
  • Unknown pseudo relocation protocol version %d., xrefs: 00409D5C
  • VirtualQuery failed for %d bytes at address %p, xrefs: 00409A41, 00409D45
  • Unknown pseudo relocation bit size %d., xrefs: 00409CFB
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: Virtual$ProtectQuery
  • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$ VirtualQuery failed for %d bytes at address %p
  • API String ID: 1027372294-974437099
  • Opcode ID: 370af8209c70e60713bc316d65060df5d09bbd75fdbed4a9326e66ca4e1fa11b
  • Instruction ID: c259829f2ce66ad8be4600a5f7c9c0ae14dbefceb41588937a7c48ac08327f82
  • Opcode Fuzzy Hash: 370af8209c70e60713bc316d65060df5d09bbd75fdbed4a9326e66ca4e1fa11b
  • Instruction Fuzzy Hash: 9CA104B1B1161086EF10DB76E84035A7262B785B98F58813BDE0E673DADA3DDC81C74D
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: signal
  • String ID: CCG
  • API String ID: 1946981877-1584390748
  • Opcode ID: 62e706bc50a35d06dfd35718d0333dc31fdd1761d94b1fa342299dab296be895
  • Instruction ID: ba8f3c7fa7eb4ef5a7f4c895a6f935a00d2db395aa01383009ea5cf1ff0c268b
  • Opcode Fuzzy Hash: 62e706bc50a35d06dfd35718d0333dc31fdd1761d94b1fa342299dab296be895
  • Instruction Fuzzy Hash: FC31782070130845FF386ABA405537A11529BC9764F1C863B8E99AB3E2CD7D9CF5421F
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • Fatal error: unable to decode the command line argument #%i, xrefs: 00403CA7
  • out of memory, xrefs: 00403CF3
  • P@A, xrefs: 00403C6C
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: freesetlocale$_strdupmalloc
  • String ID: Fatal error: unable to decode the command line argument #%i$P@A$out of memory
  • API String ID: 2725144634-1541601420
  • Opcode ID: c73bde45fad79b3137ef6c0e1b3de0283890412c1adb18c2aa31af2d7ecf11ce
  • Instruction ID: 9bb2ea38288ab18b6f2641835edcff304c8dd58b6507079d24d50bf133d278d8
  • Opcode Fuzzy Hash: c73bde45fad79b3137ef6c0e1b3de0283890412c1adb18c2aa31af2d7ecf11ce
  • Instruction Fuzzy Hash: E911293271960051FA05EF239C4676A6696FB887C9F44443BAF0EB73D1EE7CE5468309
Uniqueness

Uniqueness Score: -1.00%

APIs
  • strlen.MSVCRT ref: 0040A83D
  • _stat64.MSVCRT ref: 0040A88A
  • malloc.MSVCRT(?,?,?,00000000,00000000,00000000,?,00404ADB,00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 0040A993
  • memcpy.MSVCRT ref: 0040A9A8
  • _stat64.MSVCRT ref: 0040A9BB
  • free.MSVCRT(?,?,?,00000000,00000000,00000000,?,00404ADB,00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 0040A9CE
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: _stat64$freemallocmemcpystrlen
  • String ID: /$\
  • API String ID: 4289191721-1600464054
  • Opcode ID: afaa9594c2fbd14218c877cf9de533ed217e39fa7131db8b7463dec093f0c919
  • Instruction ID: e1e1264e21ea873f7081d26a174ac28cafb238b164bdd29bfaeae30908e2f72d
  • Opcode Fuzzy Hash: afaa9594c2fbd14218c877cf9de533ed217e39fa7131db8b7463dec093f0c919
  • Instruction Fuzzy Hash: A64106A260838489D7349B25901037B77A1E709B98F588237EFE9573C5E73CC9A2D70B
Uniqueness

Uniqueness Score: -1.00%

APIs
  • __iob_func.MSVCRT ref: 004098D7
  • VirtualQuery.KERNEL32(?,?,?,?,00411078,00411080,00420CB0,?,00400000,?,00409C83,?,?,?,?,00420CB8), ref: 004099B6
  • VirtualProtect.KERNEL32(?,?,?,?,00411078,00411080,00420CB0,?,00400000,?,00409C83,?,?,?,?,00420CB8), ref: 004099EF
Strings
  • VirtualQuery failed for %d bytes at address %p, xrefs: 00409A41
  • VirtualProtect failed with code 0x%x, xrefs: 00409A27
  • Mingw-w64 runtime failure:, xrefs: 004098B7
  • Address %p has no image-section, xrefs: 00409907, 00409A52
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: Virtual$ProtectQuery__iob_func
  • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
  • API String ID: 2215987729-1534286854
  • Opcode ID: ffb044a4ab8c20de9d15be05abf53f4b7ef1defed271e2e0749537632e8bea11
  • Instruction ID: 833183a9cc9972c4a14ad0efb24655237578dc0c992c735e04c9cc9bc24e62a3
  • Opcode Fuzzy Hash: ffb044a4ab8c20de9d15be05abf53f4b7ef1defed271e2e0749537632e8bea11
  • Instruction Fuzzy Hash: E341C4B2701B4895EA10EF12EC40B9A7765F785BD4F888126EF4D177A2DB3CD982C708
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: freestrcpy
  • String ID: %s returned %d$X@A$__file__$__main__$`AA$@A
  • API String ID: 2886119151-1980674163
  • Opcode ID: fa025c14a33da7166400af14b540f5ea2b880b2e0e806bb88dbf313190ae835a
  • Instruction ID: 3bbd477e50662e64b0b2787ec8782624d3215cb4a746aade0dde02e8aa6e7359
  • Opcode Fuzzy Hash: fa025c14a33da7166400af14b540f5ea2b880b2e0e806bb88dbf313190ae835a
  • Instruction Fuzzy Hash: B43190A6311A4096EB04DF26DD5979A23A0FB84FC4F444436EE0EA77E4DE7CC58AC308
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: _findclose_findfirst64_findnext64_rmdirstrcpystrncpy
  • String ID:
  • API String ID: 1819227052-0
  • Opcode ID: b9f7655afaa773938253781283c13a5c13bcfbf7d239c4aa562c1c6d2854e82c
  • Instruction ID: 53a4c8827c4a944d61ad0912894303175243af30d8974cc70183f57f99834eee
  • Opcode Fuzzy Hash: b9f7655afaa773938253781283c13a5c13bcfbf7d239c4aa562c1c6d2854e82c
  • Instruction Fuzzy Hash: AC518C72208BC486CA709B26B84479BA3A5F7C9B94F844226EF9C57B98CF3CC545CB04
Uniqueness

Uniqueness Score: -1.00%

APIs
  • strcpy.MSVCRT(00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 00404A23
  • strcpy.MSVCRT(00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 00404A36
  • strcpy.MSVCRT(00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 00404A96
  • strtok.MSVCRT ref: 00404AA4
  • _mkdir.MSVCRT ref: 00404AC3
Strings
  • WARNING: file already exists but should not: %s, xrefs: 00404ADF
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: strcpy$_mkdirstrtok
  • String ID: WARNING: file already exists but should not: %s
  • API String ID: 816343049-146164175
  • Opcode ID: 5d8a333752282de69e06ed6eb0fc311e30db1e01f0c989ef7786df896aa5d169
  • Instruction ID: f921468b05e314dd13464e66fb942e9d3f4488ced02e2c206f185b2cffef3ded
  • Opcode Fuzzy Hash: 5d8a333752282de69e06ed6eb0fc311e30db1e01f0c989ef7786df896aa5d169
  • Instruction Fuzzy Hash: 4E21F9E234074040EF08FB2299553AAA3529B84BC8F48903B9F4EA77C9EE3CD1598709
Uniqueness

Uniqueness Score: -1.00%

APIs
    • Part of subcall function 00402E60: _wfopen.MSVCRT ref: 00402E9F
    • Part of subcall function 00404A00: strcpy.MSVCRT(00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 00404A23
    • Part of subcall function 00404A00: strcpy.MSVCRT(00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 00404A36
    • Part of subcall function 00404A00: strcpy.MSVCRT(00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 00404A96
    • Part of subcall function 00404A00: strtok.MSVCRT ref: 00404AA4
    • Part of subcall function 00404A00: _mkdir.MSVCRT ref: 00404AC3
  • fread.MSVCRT ref: 00404B81
  • fwrite.MSVCRT ref: 00404BA0
  • ferror.MSVCRT ref: 00404BA8
  • clearerr.MSVCRT ref: 00404BB9
  • fclose.MSVCRT ref: 00404BC1
  • fclose.MSVCRT ref: 00404BC9
  • ferror.MSVCRT ref: 00404BE3
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: strcpy$fcloseferror$_mkdir_wfopenclearerrfreadfwritestrtok
  • String ID:
  • API String ID: 3389585548-0
  • Opcode ID: 7c9352700bdc7d628c64f3096aca25eb7e3f78078066cce4ae5241e7bd880dc1
  • Instruction ID: ba74e6cd87a6e8d23cdf3f08ff517b998d4ef90baa80373cc20f398b82aed0ea
  • Opcode Fuzzy Hash: 7c9352700bdc7d628c64f3096aca25eb7e3f78078066cce4ae5241e7bd880dc1
  • Instruction Fuzzy Hash: 5411A36034535005E924B637A9213AA61514BCAFE8F0D4337BF2A7B7C2ED7CE955424E
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetTempPathW.KERNEL32(00000000,00000000,?,00000000,?,004046D0), ref: 00404608
    • Part of subcall function 00405010: WideCharToMultiByte.KERNEL32 ref: 00405055
  • _tempnam.MSVCRT ref: 00404648
  • free.MSVCRT(?,004046D0), ref: 0040465D
  • strcpy.MSVCRT(?,004046D0), ref: 00404686
  • free.MSVCRT(?,004046D0), ref: 0040468E
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: free$ByteCharMultiPathTempWide_tempnamstrcpy
  • String ID: _MEI%d
  • API String ID: 1487803751-2647977119
  • Opcode ID: e408ef9a2e51c9c82f0930a40ffba075ad80d0785312b1d63eaef4c08b1a0000
  • Instruction ID: 2af8035704a60aaba750fa089b0cf0c117100dd7e8b10f78e2a28e98801b9f84
  • Opcode Fuzzy Hash: e408ef9a2e51c9c82f0930a40ffba075ad80d0785312b1d63eaef4c08b1a0000
  • Instruction Fuzzy Hash: C701F55231121005FA21F723AD257BA62566785FD5F880036BF0957BC5DD3CC186C30D
Uniqueness

Uniqueness Score: -1.00%

APIs
    • Part of subcall function 004016C0: htonl.WS2_32 ref: 004016E7
    • Part of subcall function 004016C0: fseek.MSVCRT ref: 004016F2
    • Part of subcall function 004016C0: htonl.WS2_32 ref: 004016FA
    • Part of subcall function 004016C0: malloc.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,004018D5), ref: 004016FE
    • Part of subcall function 004016C0: htonl.WS2_32 ref: 00401715
    • Part of subcall function 004016C0: fread.MSVCRT ref: 00401725
    • Part of subcall function 004016C0: fclose.MSVCRT ref: 00401741
    • Part of subcall function 00404A00: strcpy.MSVCRT(00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 00404A23
    • Part of subcall function 00404A00: strcpy.MSVCRT(00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 00404A36
    • Part of subcall function 00404A00: strcpy.MSVCRT(00000000,?,?,004018F8,?,00000000,?,0040237A), ref: 00404A96
    • Part of subcall function 00404A00: strtok.MSVCRT ref: 00404AA4
    • Part of subcall function 00404A00: _mkdir.MSVCRT ref: 00404AC3
  • htonl.WS2_32 ref: 004018FE
  • fwrite.MSVCRT ref: 0040191A
  • fclose.MSVCRT ref: 0040192D
  • free.MSVCRT(?,0040237A), ref: 00401935
Strings
  • %s could not be extracted!, xrefs: 00401966
  • Failed to write all bytes for %s, xrefs: 00401950
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: htonl$strcpy$fclose$_mkdirfreadfreefseekfwritemallocstrtok
  • String ID: %s could not be extracted!$Failed to write all bytes for %s
  • API String ID: 1529474769-4280981103
  • Opcode ID: 6a2c22812725064a9526378affc13225e106923afdd63d52c084d7b1645345d4
  • Instruction ID: 8c398d686e71ead9485c5d018f3190b6545b8928d25ad32d6dc9a72674108e3e
  • Opcode Fuzzy Hash: 6a2c22812725064a9526378affc13225e106923afdd63d52c084d7b1645345d4
  • Instruction Fuzzy Hash: FA01D2A530054184D924BB37796536662106B56BF8F584637BE2E6B7F2ED3CC441C308
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: strlen$callocstrcatstrncpy
  • String ID:
  • API String ID: 1491473955-0
  • Opcode ID: 8e8b92af94020233a5578de94d80baa0c09ee753f36b1f250c11f23f59c1ec69
  • Instruction ID: 1a84884f6026c3cfd2e9d9623d3f6f74bf9650dcc2e15abe1e6be2c308f6660a
  • Opcode Fuzzy Hash: 8e8b92af94020233a5578de94d80baa0c09ee753f36b1f250c11f23f59c1ec69
  • Instruction Fuzzy Hash: C211931235578548EA09AE776D2936E66914749FE8F8C823A9F1E273C1C97CA4928305
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • Failed to get ANSI buffer size(WideCharToMultiByte: %s), xrefs: 00404F35
  • Failed to encode filename as ANSI(WideCharToMultiByte: %s), xrefs: 00404F57
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: ByteCharMultiWide$malloc
  • String ID: Failed to encode filename as ANSI(WideCharToMultiByte: %s)$Failed to get ANSI buffer size(WideCharToMultiByte: %s)
  • API String ID: 1811578439-1203231885
  • Opcode ID: 7dbbe72cdfc3a4b5f16854537ab3d4108a5214151d301eb1b8e46d5f6170e34b
  • Instruction ID: 8e936f86b0c13088044aa7846ff6e098b445a819c538e732604ca650942dc612
  • Opcode Fuzzy Hash: 7dbbe72cdfc3a4b5f16854537ab3d4108a5214151d301eb1b8e46d5f6170e34b
  • Instruction Fuzzy Hash: BA11E0B231878049E710EB66B84071B6692A7C4BE8F44423ABF4E973D5DF3CD1468718
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • Failed to get UTF-8 buffer size (WideCharToMultiByte: %s), xrefs: 004050F5
  • Failed to encode wchar_t as UTF-8 (WideCharToMultiByte: %s), xrefs: 004050D5
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: ByteCharMultiWide$malloc
  • String ID: Failed to encode wchar_t as UTF-8 (WideCharToMultiByte: %s)$Failed to get UTF-8 buffer size (WideCharToMultiByte: %s)
  • API String ID: 1811578439-417752794
  • Opcode ID: b2455046d537ed025246654f5e6c4df18aa650cf0229e043258959db2f6b072d
  • Instruction ID: 55faa4a1a0c8ac3bf97563c8162a9a99dc97166906f0291d71076813bf7b9199
  • Opcode Fuzzy Hash: b2455046d537ed025246654f5e6c4df18aa650cf0229e043258959db2f6b072d
  • Instruction Fuzzy Hash: 20112771214B8080D720EBA6F85475B7692E7847D4F54023ABF4E277D5DF3CC0458B48
Uniqueness

Uniqueness Score: -1.00%

APIs
  • MultiByteToWideChar.KERNEL32(00000000,004027CB), ref: 00405203
  • MultiByteToWideChar.KERNEL32 ref: 00405235
  • malloc.MSVCRT ref: 00405249
Strings
  • Failed to get UTF-8 buffer size (WideCharToMultiByte: %s), xrefs: 00405285
  • Failed to encode wchar_t as UTF-8 (WideCharToMultiByte: %s), xrefs: 00405265
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: ByteCharMultiWide$malloc
  • String ID: Failed to encode wchar_t as UTF-8 (WideCharToMultiByte: %s)$Failed to get UTF-8 buffer size (WideCharToMultiByte: %s)
  • API String ID: 1811578439-417752794
  • Opcode ID: 65523731919d94906e88fef58f2046196692ed508bceefa81d50a816619cff43
  • Instruction ID: 1829835b08fe06db173ae0be00d8055f1978291cc1df714ca76926b288931067
  • Opcode Fuzzy Hash: 65523731919d94906e88fef58f2046196692ed508bceefa81d50a816619cff43
  • Instruction Fuzzy Hash: 1A0108A1315B8080DB24EBA7B8043675656EF847D4F88423B6F1E677D6EA3CC1454B19
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetShortPathNameW.KERNEL32 ref: 00404F89
  • malloc.MSVCRT(?,?,00000000,00000000,00000000,00000000,004054B5,00000000,00000000,00000000,?,004055FC,?,?,?,00403E91), ref: 00404FB7
  • GetShortPathNameW.KERNEL32 ref: 00404FC8
  • free.MSVCRT(?,?,00000000,00000000,00000000,00000000,004054B5,00000000,00000000,00000000,?,004055FC,?,?,?,00403E91), ref: 00404FD1
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: NamePathShort$freemalloc
  • String ID:
  • API String ID: 859375759-0
  • Opcode ID: 6699205058150a51735f19e3c32b910a5c81d6da57c4b7a70f43270fff13a6c9
  • Instruction ID: 2211dccd66dd272190241d3afbbb2d73526d4f17e82fc538aec5281a4e3dae48
  • Opcode Fuzzy Hash: 6699205058150a51735f19e3c32b910a5c81d6da57c4b7a70f43270fff13a6c9
  • Instruction Fuzzy Hash: 82F0F4433042154CEA11BBA7B810A2B638157C9FD8F8841366F0D57790FD3CC9428348
Uniqueness

Uniqueness Score: -1.00%

APIs
  • htonl.WS2_32 ref: 00403B9F
  • sprintf.MSVCRT ref: 00403BB4
  • GetModuleHandleA.KERNEL32 ref: 00403BBC
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32(?,00000000,00000000,00403B50), ref: 00402ECA
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402EE6
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F02
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F1E
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F3A
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F56
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F72
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402F8E
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402FAA
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402FC6
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402FE2
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00402FFE
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 0040301A
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00403036
    • Part of subcall function 00402EB0: GetProcAddress.KERNEL32 ref: 00403052
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: AddressProc$HandleModulehtonlsprintf
  • String ID: python%02d.dll
  • API String ID: 2160778486-3240720561
  • Opcode ID: e8e0c94b8d696a8e247a8d6711bd4b0f088dd86a0ba977bcb5b43c77ba6eb1d5
  • Instruction ID: c3daf762885c521b331cbebedad4589506d417733dd860c90c9c247d51c9f6e6
  • Opcode Fuzzy Hash: e8e0c94b8d696a8e247a8d6711bd4b0f088dd86a0ba977bcb5b43c77ba6eb1d5
  • Instruction Fuzzy Hash: 71F046B3B405804AEB15AF36FD003A92658AB84BDDF0881367E0D0B3C1EE7CC689C704
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004097B4
  • Unknown error, xrefs: 00409840
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-3474627141
  • Opcode ID: 1e137aaf1e87af944d05dab27dc7942831f8f447c03aa0d7637770eb2cf9585a
  • Instruction ID: 05125ab989fc94fd1a1ee5d5c7f3246d03dbe1895968bfc318d97824a59f4309
  • Opcode Fuzzy Hash: 1e137aaf1e87af944d05dab27dc7942831f8f447c03aa0d7637770eb2cf9585a
  • Instruction Fuzzy Hash: 2F01C472814E88C2D6128F1CE8413DA7375FF9A75AF259312EB8826220EB39C683C704
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: AddressHandleModuleProc
  • String ID: _Jv_RegisterClasses$libgcj-16.dll
  • API String ID: 1646373207-328863460
  • Opcode ID: 07a31081c0775124946185f2ad910950a88c62d2f2ff6a43d91c321d60c0dd76
  • Instruction ID: b2902900027f60e06de8ccbbe6e20b092d05b50b4564f8c9e42d6d452d03cfa8
  • Opcode Fuzzy Hash: 07a31081c0775124946185f2ad910950a88c62d2f2ff6a43d91c321d60c0dd76
  • Instruction Fuzzy Hash: 27F05450B12504E4EE18AB62EC853712394BB94744FC80527970F693F1EF3CD546C70C
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • Overflow range error (OVERFLOW), xrefs: 00409800
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004097B4
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-4064033741
  • Opcode ID: df03d6ee092570d9ee97311d3b684b301bdabdfbf1b75063ed1cec71fb31cb9e
  • Instruction ID: 02530b72581efb045f029dfce8b0d88f850cc6e8d297446133ccc98462c45377
  • Opcode Fuzzy Hash: df03d6ee092570d9ee97311d3b684b301bdabdfbf1b75063ed1cec71fb31cb9e
  • Instruction Fuzzy Hash: D7F06D63414F8882D202DF18E8002DAB330FF5EB89F595316EB893A464DB28C683C704
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004097B4
  • The result is too small to be represented (UNDERFLOW), xrefs: 00409810
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-2187435201
  • Opcode ID: 7e2215f3e2ccd37b687e6e5740f0ef228d478794b607ec647e0ad242eb66aff0
  • Instruction ID: d8b9474903a86d4dbd832d7bf12a5efd3fb37c1d6457ce23edd3d7fc768f72b2
  • Opcode Fuzzy Hash: 7e2215f3e2ccd37b687e6e5740f0ef228d478794b607ec647e0ad242eb66aff0
  • Instruction Fuzzy Hash: F8F06D63414F8882D202DF18E8402DA7330FF5EB8DF595316EB893A464DB28C683C704
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • Total loss of significance (TLOSS), xrefs: 00409820
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004097B4
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-4273532761
  • Opcode ID: 776f3b702c7574da518a02f39034b01082c565f0399b82255bd7c34053e2ea46
  • Instruction ID: 42fa24b172e3d42e0712c506c16e7e4d1b86559517cae500629c9ed2e9e68436
  • Opcode Fuzzy Hash: 776f3b702c7574da518a02f39034b01082c565f0399b82255bd7c34053e2ea46
  • Instruction Fuzzy Hash: B3F06D63414F8882D202DF18E8402DA7330FF5EB89F595316EB893B424DB38D683C704
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004097B4
  • Partial loss of significance (PLOSS), xrefs: 00409830
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-4283191376
  • Opcode ID: 9e2661dcb2f33eb58e10e38e1f95bd23eccb4d13c64803675dd2f814b0fc33bc
  • Instruction ID: 27936858ed383bc2b2bd44c5d82aeab57017d2e8033e14475d3a46fe44abce57
  • Opcode Fuzzy Hash: 9e2661dcb2f33eb58e10e38e1f95bd23eccb4d13c64803675dd2f814b0fc33bc
  • Instruction Fuzzy Hash: B9F06D63414F8882D202DF1CE8002DAB330FF5EB89F595316EB893A464DB28C683C704
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004097B4
  • Argument singularity (SIGN), xrefs: 004097F0
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-2468659920
  • Opcode ID: 9909dbabe30ffe64a938fa1a04f287bf2f8e9a466dabdb256817832d95c671b6
  • Instruction ID: d6400203189cca4d95e3c53a814882dfe4ca19a679120cde9b0c2c9d72242ff5
  • Opcode Fuzzy Hash: 9909dbabe30ffe64a938fa1a04f287bf2f8e9a466dabdb256817832d95c671b6
  • Instruction Fuzzy Hash: E4F06D63414F8886D202DF18E8002DA7330FF5EB89F595316EB893A464DB29C687C704
Uniqueness

Uniqueness Score: -1.00%

APIs
Strings
  • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 004097B4
  • Argument domain error (DOMAIN), xrefs: 00409781
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: __iob_funcfprintf
  • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
  • API String ID: 620453056-2713391170
  • Opcode ID: c6521bd640a46289397513d3ebc73d01f80d8cbfb38599cbd050336f2aed7eb3
  • Instruction ID: 395b9d67100a26f0999d8affa1dc0da1340c5ef533c6ec0a4bbdb1223ead7931
  • Opcode Fuzzy Hash: c6521bd640a46289397513d3ebc73d01f80d8cbfb38599cbd050336f2aed7eb3
  • Instruction Fuzzy Hash: FBF06D22404F8886D202DF18E8003EAB370FF5EB8AF595316EF893A524DB24C683C704
Uniqueness

Uniqueness Score: -1.00%

APIs
  • VirtualQuery.KERNEL32(?,?,?,?,00411078,00411080,00420CB0,?,00400000,?,00409C83,?,?,?,?,00420CB8), ref: 004099B6
  • VirtualProtect.KERNEL32(?,?,?,?,00411078,00411080,00420CB0,?,00400000,?,00409C83,?,?,?,?,00420CB8), ref: 004099EF
Strings
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: Virtual$ProtectQuery
  • String ID: Address %p has no image-section
  • API String ID: 1027372294-867041741
  • Opcode ID: 2e5603a609fef3d91b63fcbea465d444794766caf63ad82a80abffd2afdee14b
  • Instruction ID: 75b54d7e15573e8bc8070898cdc6aed300dd5b6bc5cae5b8542f4fed496064a6
  • Opcode Fuzzy Hash: 2e5603a609fef3d91b63fcbea465d444794766caf63ad82a80abffd2afdee14b
  • Instruction Fuzzy Hash: 8931D6F3702A8896EA119F16EC04B567765F785BE4F888136AF4D17392DA3CD982C708
Uniqueness

Uniqueness Score: -1.00%

APIs
  • GetModuleFileNameW.KERNEL32(00000000,?,004027A9), ref: 00402DB2
    • Part of subcall function 00405010: WideCharToMultiByte.KERNEL32 ref: 00405055
Strings
  • Failed to get executable path. GetModuleFileNameW: %s, xrefs: 00402DE5
  • Failed to convert executable path to UTF-8., xrefs: 00402E00
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: ByteCharFileModuleMultiNameWide
  • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path. GetModuleFileNameW: %s
  • API String ID: 1532159127-1514788002
  • Opcode ID: 2dbe73ce97545ada1c57d79f824588f7040bff5592efd154e3568f911a091c82
  • Instruction ID: 3d0a194baefc9d53d195507dc22fd84c2c5fe56aae02c0f46b72789a61c9d716
  • Opcode Fuzzy Hash: 2dbe73ce97545ada1c57d79f824588f7040bff5592efd154e3568f911a091c82
  • Instruction Fuzzy Hash: 8CF024A032464182ED25B736A80D39702446F49BE8F88873B7D1DA73C9EE7CC986831D
Uniqueness

Uniqueness Score: -1.00%

APIs
Memory Dump Source
  • Source File: 00000000.00000002.1655568124.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
  • Associated: 00000000.00000002.1655558127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655579775.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655590838.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
  • Associated: 00000000.00000002.1655601723.0000000000425000.00000008.00000001.01000000.00000003.sdmpDownload File
Joe Sandbox IDA Plugin
  • Snapshot File: hcaresult_0_2_400000_coordinator.jbxd
Similarity
  • API ID: CriticalSection$EnterLeavefree
  • String ID:
  • API String ID: 4020351045-0
  • Opcode ID: 847521859675ebe6ed32fd73c62fc19fd2359558dd3d4da52489902cee143c44
  • Instruction ID: e716da91d234f5c006ccb2b98e76ee0c4fd4f4dd55b0a718b9d73bd79d03ec33
  • Opcode Fuzzy Hash: 847521859675ebe6ed32fd73c62fc19fd2359558dd3d4da52489902cee143c44
  • Instruction Fuzzy Hash: A9011EF271170086DB1CDB52E89072923E1B758B90F944436DA1D97B61EF3CC9A5C709
Uniqueness

Uniqueness Score: -1.00%