Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
211.exe

Overview

General Information

Sample name:211.exe
Analysis ID:1559169
MD5:f7c96ff131b356fe164c8d666c0f3b46
SHA1:7468349a73f810bcf320dd6ae65cb46fc81a9c10
SHA256:fb2812b22e399ad46d1c3da512199be1647ad932dd5c0166d58be87cde3e1876
Tags:exeopendiruser-Joker
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

  • System is w10x64
  • 211.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\211.exe" MD5: F7C96FF131B356FE164C8D666C0F3B46)
  • 211.exe (PID: 5408 cmdline: "C:\Users\user\Desktop\211.exe" MD5: F7C96FF131B356FE164C8D666C0F3B46)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: 211.exe PID: 6600JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: 211.exe PID: 5408JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\211.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\211.exe, ProcessId: 6600, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\Users\user\Desktop\QQWER.dllReversingLabs: Detection: 73%
      Source: 211.exeReversingLabs: Detection: 47%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
      Source: C:\Users\user\Desktop\QQWER.dllJoe Sandbox ML: detected
      Source: 211.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\211.exeUnpacked PE file: 0.2.211.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\211.exeUnpacked PE file: 5.2.211.exe.10000000.2.unpack
      Source: 211.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Binary string: devco n.pdbo source: 211.exe
      Source: Binary string: wntdll.pdbUGP source: 211.exe, 00000000.00000003.1486855520.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000002.2740114913.0000000002D54000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000003.1650913098.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2740053388.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, 54e41d.tmp.0.dr, 552434.tmp.5.dr
      Source: Binary string: wntdll.pdb source: 211.exe, 00000000.00000003.1486855520.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000002.2740114913.0000000002D54000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000003.1650913098.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2740053388.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, 54e41d.tmp.0.dr, 552434.tmp.5.dr
      Source: Binary string: DrvInDM U.pdbe source: 211.exe
      Source: Binary string: wuser32.pdb source: 211.exe, 00000000.00000002.2740445326.0000000002F0B000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000003.1487921635.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000003.1652407175.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2740388485.0000000002EDC000.00000040.00000020.00020000.00000000.sdmp, 5524a1.tmp.5.dr, 54e47b.tmp.0.dr
      Source: Binary string: devc@on.pdb source: 211.exe
      Source: Binary string: wuser32.pdbUGP source: 211.exe, 00000000.00000002.2740445326.0000000002F0B000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000003.1487921635.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000003.1652407175.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2740388485.0000000002EDC000.00000040.00000020.00020000.00000000.sdmp, 5524a1.tmp.5.dr, 54e47b.tmp.0.dr
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A199
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018EEA
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10007FDD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10018801
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10017804
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013C18
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10011C1A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A031
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024C38
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001385A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10002461
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000F472
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001847E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022882
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10025484
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025484
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10006495
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006C96
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FCB0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_100198CC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100188E1
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A4E7
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1000B90D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10003116
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FD4D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10001D56
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025977
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10010199
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008DA3
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100111A7
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007DB8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_100259D9
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100189E6
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000FDEA
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100101FB
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10014203
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000B61E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A236
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1001363D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001363D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008E40
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FA6F
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022A80
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10011E89
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A6C7
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10017ECA
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10008EDD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BADE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100246E4
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FF10
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008B27
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BB29
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10015B34
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000833D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10012B40
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1000634E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B353
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10026356
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017B68
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10024781
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024781
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1000A7A2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100137A3
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000F7AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008BC4
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013FC8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007BCA
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10005FDA
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100253E7
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B3F0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1000710E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A199
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10018AD3
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10018AD3
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10018EEA
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_100193C2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_100193C2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10007FDD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10018801
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_10017804
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10011772
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10013C18
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10011C1A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A031
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10024C38
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001AC51
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001AC51
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001AC51
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10006051
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10006051
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001385A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10002461
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1000F472
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_1001847E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10022882
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp5_2_10025484
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10025484
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_10006495
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10006C96
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10014096
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_10014096
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_100024AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FCB0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001A8BE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_100198CC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100188E1
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001A4E7
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1000210D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1000210D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_1000B90D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10003116
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10017D41
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10017D41
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FD4D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10001D56
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10025977
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10010199
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001419C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001419C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008DA3
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100111A7
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10007DB8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_100151BD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_100151BD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_100151BD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp5_2_1001D1C4
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_1001D1C4
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_100259D9
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_100221E2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_100189E6
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1000FDEA
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100101FB
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10014203
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001121A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1000B61E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_1001221F
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp5_2_1001221F
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001A236
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1001363D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001363D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008E40
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10011653
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_10011653
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010255
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010255
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10007E55
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_10007E55
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp5_2_1000C655
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FA6F
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10022A80
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10011E89
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_1002129C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1001A6C7
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp5_2_10017ECA
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010AD6
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10010AD6
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp5_2_10008EDD
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001BADE
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_100246E4
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1001A6F8
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100236FF
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp5_2_100236FF
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000FF10
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008B27
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1001BB29
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_10015B34
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000833D
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp5_2_10012B40
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp5_2_1000634E
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000B353
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_10026356
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp5_2_1001DB5C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_1001DB5C
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10017B68
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_10011772
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp5_2_10024781
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10024781
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp5_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp5_2_1002378A
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp5_2_10014289
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp5_2_1001BFA0
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp5_2_1000A7A2
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_100137A3
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_1000F7AC
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10008BC4
      Source: C:\Users\user\Desktop\211.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp5_2_10013FC8
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:14:56 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:15:12 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: 211.exeString found in binary or memory: http://.httpsset-cookie:;;
      Source: 211.exe, 00000000.00000002.2738661260.0000000000C20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/
      Source: 211.exeString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/
      Source: 211.exe, 00000005.00000002.2738541455.0000000000BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
      Source: 211.exe, 00000005.00000002.2738541455.0000000000BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt87
      Source: 211.exe, 00000000.00000002.2738661260.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt;
      Source: 211.exe, 00000000.00000002.2738661260.0000000000C35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtS
      Source: 211.exe, 00000000.00000002.2738661260.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtX
      Source: 211.exe, 00000005.00000002.2738541455.0000000000C15000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtm
      Source: 211.exeString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
      Source: 211.exe, 00000005.00000002.2738541455.0000000000BE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt-
      Source: 211.exe, 00000005.00000002.2738541455.0000000000BE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt6
      Source: 211.exe, 00000005.00000002.2738541455.0000000000BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtF
      Source: 211.exe, 00000000.00000002.2738661260.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2738541455.0000000000BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtgrams
      Source: 211.exeString found in binary or memory: http://ocsp.t
      Source: 211.exeString found in binary or memory: http://sf.symc
      Source: 211.exeString found in binary or memory: http://ts-ocsp.ws.s
      Source: 211.exeString found in binary or memory: http://ts-ocsp.ws.symantec.
      Source: 211.exeString found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
      Source: 211.exeString found in binary or memory: https://User-Agent:Mozilla/4.0
      Source: 211.exeString found in binary or memory: https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1
      Source: 211.exeString found in binary or memory: https://ww(w.v
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: 211.exe, 00000000.00000002.2740445326.0000000002F0B000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_2a3fcccb-e
      Source: Yara matchFile source: Process Memory Space: 211.exe PID: 6600, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 211.exe PID: 5408, type: MEMORYSTR
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_10007FDD NtClose,0_2_10007FDD
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_1001419C ReleaseMutex,NtClose,0_2_1001419C
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_1001221F NtClose,0_2_1001221F
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_10007FDD NtClose,5_2_10007FDD
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_1001419C ReleaseMutex,NtClose,5_2_1001419C
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_1001221F NtClose,5_2_1001221F
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_004C66800_2_004C6680
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_004C51A00_2_004C51A0
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_100026280_2_10002628
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_100032EA0_2_100032EA
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_004C66805_2_004C6680
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_004C51A05_2_004C51A0
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_100026285_2_10002628
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_100032EA5_2_100032EA
      Source: C:\Users\user\Desktop\211.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess token adjusted: SecurityJump to behavior
      Source: C:\Users\user\Desktop\211.exeCode function: String function: 10029640 appears 130 times
      Source: 54e41d.tmp.0.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 552434.tmp.5.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 54e41d.tmp.0.drStatic PE information: No import functions for PE file found
      Source: 552434.tmp.5.drStatic PE information: No import functions for PE file found
      Source: 211.exe, 00000000.00000002.2740114913.0000000002E81000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 211.exe
      Source: 211.exe, 00000000.00000003.1487921635.0000000002BAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 211.exe
      Source: 211.exe, 00000000.00000003.1486855520.0000000002CCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 211.exe
      Source: 211.exe, 00000000.00000002.2740445326.0000000002FB3000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 211.exe
      Source: 211.exe, 00000005.00000003.1652407175.0000000002B7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 211.exe
      Source: 211.exe, 00000005.00000002.2740053388.0000000002E54000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 211.exe
      Source: 211.exe, 00000005.00000003.1650913098.0000000002C9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 211.exe
      Source: 211.exe, 00000005.00000002.2740388485.0000000002F84000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 211.exe
      Source: 211.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: QQWER.dll.0.drStatic PE information: Section: .rsrc ZLIB complexity 1.0002780183550337
      Source: 552434.tmp.5.drBinary string: \Device\IPT[
      Source: classification engineClassification label: mal84.evad.winEXE@2/10@0/1
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_0041FD8E GetDiskFreeSpaceExA,0_2_0041FD8E
      Source: C:\Users\user\Desktop\211.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeMutant created: NULL
      Source: C:\Users\user\Desktop\211.exeFile created: C:\Users\user\AppData\Local\Temp\54e41d.tmpJump to behavior
      Source: 211.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\211.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 211.exeReversingLabs: Detection: 47%
      Source: unknownProcess created: C:\Users\user\Desktop\211.exe "C:\Users\user\Desktop\211.exe"
      Source: unknownProcess created: C:\Users\user\Desktop\211.exe "C:\Users\user\Desktop\211.exe"
      Source: C:\Users\user\Desktop\211.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\211.exeWindow detected: Number of UI elements: 23
      Source: 211.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: 211.exeStatic file information: File size 5214208 > 1048576
      Source: 211.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x14f000
      Source: 211.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x284000
      Source: 211.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000
      Source: Binary string: devco n.pdbo source: 211.exe
      Source: Binary string: wntdll.pdbUGP source: 211.exe, 00000000.00000003.1486855520.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000002.2740114913.0000000002D54000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000003.1650913098.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2740053388.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, 54e41d.tmp.0.dr, 552434.tmp.5.dr
      Source: Binary string: wntdll.pdb source: 211.exe, 00000000.00000003.1486855520.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000002.2740114913.0000000002D54000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000003.1650913098.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2740053388.0000000002D27000.00000040.00000020.00020000.00000000.sdmp, 54e41d.tmp.0.dr, 552434.tmp.5.dr
      Source: Binary string: DrvInDM U.pdbe source: 211.exe
      Source: Binary string: wuser32.pdb source: 211.exe, 00000000.00000002.2740445326.0000000002F0B000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000003.1487921635.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000003.1652407175.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2740388485.0000000002EDC000.00000040.00000020.00020000.00000000.sdmp, 5524a1.tmp.5.dr, 54e47b.tmp.0.dr
      Source: Binary string: devc@on.pdb source: 211.exe
      Source: Binary string: wuser32.pdbUGP source: 211.exe, 00000000.00000002.2740445326.0000000002F0B000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000003.1487921635.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000003.1652407175.0000000002B7A000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2740388485.0000000002EDC000.00000040.00000020.00020000.00000000.sdmp, 5524a1.tmp.5.dr, 54e47b.tmp.0.dr

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\211.exeUnpacked PE file: 0.2.211.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\211.exeUnpacked PE file: 5.2.211.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_004C45F0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C45F0
      Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
      Source: QQWER.dll.0.drStatic PE information: section name: .Upack
      Source: 54e41d.tmp.0.drStatic PE information: section name: RT
      Source: 54e41d.tmp.0.drStatic PE information: section name: .mrdata
      Source: 54e41d.tmp.0.drStatic PE information: section name: .00cfg
      Source: 54e47b.tmp.0.drStatic PE information: section name: .didat
      Source: 552434.tmp.5.drStatic PE information: section name: RT
      Source: 552434.tmp.5.drStatic PE information: section name: .mrdata
      Source: 552434.tmp.5.drStatic PE information: section name: .00cfg
      Source: 5524a1.tmp.5.drStatic PE information: section name: .didat
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_0052F2C0 push eax; ret 0_2_0052F2EE
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_00531534 push eax; ret 0_2_00531552
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_1002C7F8 push edi; ret 0_2_1002C7FC
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_0052F2C0 push eax; ret 5_2_0052F2EE
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_00531534 push eax; ret 5_2_00531552
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_1002C7F8 push edi; ret 5_2_1002C7FC
      Source: QQWER.dll.0.drStatic PE information: section name: .rsrc entropy: 7.999713933191419
      Source: 54e41d.tmp.0.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: 552434.tmp.5.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: C:\Users\user\Desktop\211.exeFile created: C:\Users\user\AppData\Local\Temp\54e47b.tmpJump to dropped file
      Source: C:\Users\user\Desktop\211.exeFile created: C:\Users\user\AppData\Local\Temp\54e41d.tmpJump to dropped file
      Source: C:\Users\user\Desktop\211.exeFile created: C:\Users\user\AppData\Local\Temp\5524a1.tmpJump to dropped file
      Source: C:\Users\user\Desktop\211.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\211.exeFile created: C:\Users\user\AppData\Local\Temp\552434.tmpJump to dropped file
      Source: C:\Users\user\Desktop\211.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\211.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_004CC590 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,0_2_004CC590
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_004CC590 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,5_2_004CC590
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,5_2_1001F2ED
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\211.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-23006
      Source: C:\Users\user\Desktop\211.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\211.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\54e47b.tmpJump to dropped file
      Source: C:\Users\user\Desktop\211.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\54e41d.tmpJump to dropped file
      Source: C:\Users\user\Desktop\211.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5524a1.tmpJump to dropped file
      Source: C:\Users\user\Desktop\211.exeDropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\211.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\552434.tmpJump to dropped file
      Source: C:\Users\user\Desktop\211.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\211.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,0_2_1000710E
      Source: 211.exe, 00000005.00000002.2738541455.0000000000B88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
      Source: 211.exe, 00000000.00000002.2738661260.0000000000BBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
      Source: 211.exe, 00000000.00000002.2738661260.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000003.1551065289.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2738541455.0000000000C15000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000003.1710108421.0000000000C16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\211.exeAPI call chain: ExitProcess graph end nodegraph_0-23120
      Source: C:\Users\user\Desktop\211.exeAPI call chain: ExitProcess graph end nodegraph_5-23093
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_10004B1B LdrInitializeThunk,0_2_10004B1B
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_004C45F0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C45F0
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h]0_2_1001A4C7
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h]0_2_1000AE99
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_1001A4C7 mov eax, dword ptr fs:[00000030h]5_2_1001A4C7
      Source: C:\Users\user\Desktop\211.exeCode function: 5_2_1000AE99 mov eax, dword ptr fs:[00000030h]5_2_1000AE99
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_004B1250 GetProcessHeap,RtlAllocateHeap,0_2_004B1250
      Source: C:\Users\user\Desktop\211.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\211.exeProcess token adjusted: DebugJump to behavior
      Source: 211.exeBinary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32@@
      Source: 211.exeBinary or memory string: Shell_TrayWnd
      Source: 211.exe, 00000000.00000002.2740445326.0000000002F0B000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000002.2738661260.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000003.1487921635.0000000002BAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: 211.exe, 00000000.00000002.2738661260.0000000000BBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow?
      Source: 211.exe, 00000005.00000002.2738541455.0000000000B88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow9
      Source: 211.exe, 00000000.00000002.2740445326.0000000002F0B000.00000040.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000002.2738661260.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000000.00000003.1487921635.0000000002BAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_10019EDC cpuid 0_2_10019EDC
      Source: C:\Users\user\Desktop\211.exeCode function: 0_2_00533C00 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,0_2_00533C00
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
      Native API
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      1
      Masquerading
      11
      Input Capture
      111
      Security Software Discovery
      Remote Services1
      Screen Capture
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      LSASS Driver
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      LSASS Memory1
      Process Discovery
      Remote Desktop Protocol11
      Input Capture
      3
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading
      1
      LSASS Driver
      1
      Deobfuscate/Decode Files or Information
      Security Account Manager1
      Application Window Discovery
      SMB/Windows Admin Shares1
      Archive Collected Data
      2
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading
      4
      Obfuscated Files or Information
      NTDS15
      System Information Discovery
      Distributed Component Object ModelInput Capture12
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Software Packing
      LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      211.exe47%ReversingLabs
      211.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\Desktop\QQWER.dll100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\54e41d.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\54e47b.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\552434.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\5524a1.tmp0%ReversingLabs
      C:\Users\user\Desktop\QQWER.dll73%ReversingLabsWin32.Infostealer.OnlineGames
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://.httpsset-cookie:;;0%Avira URL Cloudsafe
      http://42.193.100.57/0%Avira URL Cloudsafe
      http://ocsp.t0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtS0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtF0%Avira URL Cloudsafe
      http://ts-ocsp.ws.s0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtX0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtgrams0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt-0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtm0%Avira URL Cloudsafe
      http://ts-ocsp.ws.symantec.0%Avira URL Cloudsafe
      http://sf.symc0%Avira URL Cloudsafe
      https://ww(w.v0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt60%Avira URL Cloudsafe
      https://User-Agent:Mozilla/4.00%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt;0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt870%Avira URL Cloudsafe
      No contacted domains info
      NameMaliciousAntivirus DetectionReputation
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtfalse
      • Avira URL Cloud: safe
      unknown
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtfalse
      • Avira URL Cloud: safe
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtX211.exe, 00000000.00000002.2738661260.0000000000C54000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.eyuyan.com)DVarFileInfo$211.exefalse
        high
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtF211.exe, 00000005.00000002.2738541455.0000000000BFD000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://ocsp.t211.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/211.exe, 00000000.00000002.2738661260.0000000000C20000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtS211.exe, 00000000.00000002.2738661260.0000000000C35000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://.httpsset-cookie:;;211.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt-211.exe, 00000005.00000002.2738541455.0000000000BE2000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtgrams211.exe, 00000000.00000002.2738661260.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, 211.exe, 00000005.00000002.2738541455.0000000000BFD000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://ts-ocsp.ws.s211.exefalse
        • Avira URL Cloud: safe
        unknown
        https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1211.exefalse
          high
          http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtm211.exe, 00000005.00000002.2738541455.0000000000C15000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ts-ocsp.ws.symantec.211.exefalse
          • Avira URL Cloud: safe
          unknown
          http://sf.symc211.exefalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt6211.exe, 00000005.00000002.2738541455.0000000000BE2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://ww(w.v211.exefalse
          • Avira URL Cloud: safe
          unknown
          https://User-Agent:Mozilla/4.0211.exefalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E5%AD%98%E6%A1%A3/211.exefalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt87211.exe, 00000005.00000002.2738541455.0000000000BFD000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt;211.exe, 00000000.00000002.2738661260.0000000000C54000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          42.193.100.57
          unknownChina
          4249LILLY-ASUSfalse
          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1559169
          Start date and time:2024-11-20 09:13:21 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 16s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:9
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:211.exe
          Detection:MAL
          Classification:mal84.evad.winEXE@2/10@0/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:Failed
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: 211.exe
          TimeTypeDescription
          09:14:46AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\Desktop\211.exe
          No context
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          LILLY-ASUSSWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
          • 43.155.76.124
          arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
          • 43.52.215.121
          arm.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
          • 43.152.251.74
          x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
          • 40.221.176.183
          https://trackwniw.top/iGet hashmaliciousUnknownBrowse
          • 43.130.33.71
          https://trackwniw.top/iGet hashmaliciousUnknownBrowse
          • 43.130.33.71
          owari.m68k.elfGet hashmaliciousUnknownBrowse
          • 42.132.90.14
          owari.arm7.elfGet hashmaliciousMiraiBrowse
          • 43.100.132.215
          owari.arm.elfGet hashmaliciousUnknownBrowse
          • 40.167.148.109
          owari.spc.elfGet hashmaliciousUnknownBrowse
          • 40.205.187.175
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\54e47b.tmpSecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
            file.exeGet hashmaliciousUnknownBrowse
              file.exeGet hashmaliciousUnknownBrowse
                file.exeGet hashmaliciousUnknownBrowse
                  FZ6oyLoqGM.exeGet hashmaliciousUnknownBrowse
                    Lisect_AVT_24003_G1A_54.exeGet hashmaliciousBdaejecBrowse
                      LisectAVT_2403002A_186.exeGet hashmaliciousUnknownBrowse
                        zde6gdIB73.exeGet hashmaliciousUnknownBrowse
                          SecuriteInfo.com.Win32.Evo-gen.28674.10592.dllGet hashmaliciousUnknownBrowse
                            SecuriteInfo.com.Win32.Evo-gen.28674.10592.dllGet hashmaliciousUnknownBrowse
                              C:\Users\user\AppData\Local\Temp\54e41d.tmpSecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
                                file.exeGet hashmaliciousUnknownBrowse
                                  file.exeGet hashmaliciousUnknownBrowse
                                    file.exeGet hashmaliciousUnknownBrowse
                                      BCNFNjvJNq.exeGet hashmaliciousADWIND, Lokibot, Ramnit, SalityBrowse
                                        cnlg48.exeGet hashmaliciousUnknownBrowse
                                          Lisect_AVT_24003_G1A_54.exeGet hashmaliciousBdaejecBrowse
                                            LisectAVT_2403002A_186.exeGet hashmaliciousUnknownBrowse
                                              zde6gdIB73.exeGet hashmaliciousUnknownBrowse
                                                SecuriteInfo.com.Win32.Evo-gen.28674.10592.dllGet hashmaliciousUnknownBrowse
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1699896
                                                  Entropy (8bit):6.290547513916722
                                                  Encrypted:false
                                                  SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                  MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                  SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                  SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                  SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: BCNFNjvJNq.exe, Detection: malicious, Browse
                                                  • Filename: cnlg48.exe, Detection: malicious, Browse
                                                  • Filename: Lisect_AVT_24003_G1A_54.exe, Detection: malicious, Browse
                                                  • Filename: LisectAVT_2403002A_186.exe, Detection: malicious, Browse
                                                  • Filename: zde6gdIB73.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, Detection: malicious, Browse
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1679648
                                                  Entropy (8bit):5.3288490918902225
                                                  Encrypted:false
                                                  SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                  MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                  SHA1:159434853CE512029314C6B70070220D251A924A
                                                  SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                  SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: FZ6oyLoqGM.exe, Detection: malicious, Browse
                                                  • Filename: Lisect_AVT_24003_G1A_54.exe, Detection: malicious, Browse
                                                  • Filename: LisectAVT_2403002A_186.exe, Detection: malicious, Browse
                                                  • Filename: zde6gdIB73.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.28674.10592.dll, Detection: malicious, Browse
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1699896
                                                  Entropy (8bit):6.290547513916722
                                                  Encrypted:false
                                                  SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                  MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                  SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                  SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                  SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1679648
                                                  Entropy (8bit):5.3288490918902225
                                                  Encrypted:false
                                                  SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                  MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                  SHA1:159434853CE512029314C6B70070220D251A924A
                                                  SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                  SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PC bitmap, Windows 3.x format, 43 x 25 x 24, image size 3300, cbSize 3354, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):3354
                                                  Entropy (8bit):2.989481212693407
                                                  Encrypted:false
                                                  SSDEEP:12:hqVRlllllllllLlll7lllllllllp9l+fs9WLtOlqTT9WLXLELc9WLccwlVLcEAAZ:pIsgTZMY
                                                  MD5:6391A0DCDD648730D0801673DAA5E9C9
                                                  SHA1:023E19E73F390D6C976A75E4804E356F8D4E2B79
                                                  SHA-256:8CBC9646B997839C056FA4C663B843971C084CDC044502753A543D83D35092C5
                                                  SHA-512:17C8C196F2D27928FA01E2A461E9F2400E1ACFE73B50A3B3B9A03C3117D2EEC346E9032CE35DA508C26BE561404142DD073D5F7E393729160830EE148C5F4536
                                                  Malicious:false
                                                  Preview:BM........6...(...+...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..........................%..%.........................................%..%..%..%..%..%..%..%.....%..%..%..%..%..%......
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PC bitmap, Windows 3.x format, 122 x 40 x 24, image size 14720, cbSize 14774, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):14774
                                                  Entropy (8bit):4.868699837953847
                                                  Encrypted:false
                                                  SSDEEP:384:fDinzsGO052UtTri2fzOJ3pzvdTzD8mZxEBxQ74w2jBfG79s6OY:riA/w1ObZSny4dRI9Hh
                                                  MD5:EE883808D176D23096A2D4F339C84368
                                                  SHA1:D901775EDE136567215ABE718023C1A62F46A0A6
                                                  SHA-256:3D28C7A863B6E937EBC72AD585F94359B6BC2FF8523173DB0FEEFBC803AB372B
                                                  SHA-512:F14CF6522847121246B7913FA1C800227EEEAFAE5F7AA44D2E45ED55EC50B2A729C109B222D0F2E3FECFB3B16031AEF742C286DA0393322A73C4B182C71033D3
                                                  Malicious:false
                                                  Preview:BM.9......6...(...z...(............9..............................................................................................................................~..~..~..~..}..}..}..}..|..|..{..{..{..{..z..z..z..z..y..y..x..y..x..x..w..x..w..w..v..v..v..v..u..u..t..t..t..t..s..s..s..s..r..r..q..r..q..q..p..q..p..p..o..o..o..o..n..n..m..n..m..m..l..l..l..l..k..k..j..k................................................................................................................~..~..}..}..}..}..|..|..|..|..{..{..z..{..z..z..y..z..y..y..x..x..x..x..w..w..v..v..v..v..u..u..u..u..t..t..s..t..s..s..r..s..r..r..q..q..q..q..p..p..o..p..o..o..n..n..n..n..m..m..l..m..l..l..k..l..k..k..j..j...............................................................................................................~..~..~..~..}..}..|..}..|..|..{..{..{..{..z..z..y..z.
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PC bitmap, Windows 3.x format, 124 x 21 x 24, image size 7812, cbSize 7866, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):7866
                                                  Entropy (8bit):2.8370523003123043
                                                  Encrypted:false
                                                  SSDEEP:24:o4XlQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQP:T+QgQ2VQPQ/QNQmQTQGQKxQyQIHiw1
                                                  MD5:5D70530E3663B004B68425154CB9AFB9
                                                  SHA1:46CFADA3D2EDE8A3280598BD4E2EC89CE0C7D56F
                                                  SHA-256:0818DF2198DA1889321E82F769F3AA6B01F9CD773987354A8F5E0908379F45CE
                                                  SHA-512:824569EAB3FBB412708BB35CDF0A3630289008307A518E68253CFAAD379CFB830C56A2582D2FB071561BF2FB3ADB2535CEBA13319A3A096009357E152022119E
                                                  Malicious:false
                                                  Preview:BM........6...(...|...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PC bitmap, Windows 3.x format, 132 x 32 x 24, image size 12672, cbSize 12726, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):12726
                                                  Entropy (8bit):5.79054775797227
                                                  Encrypted:false
                                                  SSDEEP:384:xcEOHiLY/s8/wo4C4tPzSrEEBN/LMzeW1:xcdHiLeF4Q4pSY+hLMzv
                                                  MD5:FA9FA099399E2ADF93BE1348C4AED087
                                                  SHA1:3FB710D8AD919AE6783E222DF46305E39FA81098
                                                  SHA-256:3749B52884564A500221E53DE5FCF24A2F6E3EDB4E58ADB13CF2B5F8F422BA7B
                                                  SHA-512:A6D378F8AD7EFAF4A3067D3F601AFAB53C83947DA29C9F6A21BAD21F287D2CAB093939BD017F32971EE6B3DA1EC82BE6D59234CB446A325A33C8AA5215200DD8
                                                  Malicious:false
                                                  Preview:BM.1......6...(....... ............1..................................................................................................................................................................................................................................................................................................~..~..}..}..|..|..{..|..{..{..z..z..y..y..x..x..x..w..w..w..................................................................................................................................................................................................................................................................................~..~..}..~..}..}..|..|..{..{..z..z..z..z..y..y..x..x..w..w....................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PC bitmap, Windows 3.x format, 312 x 196 x 24, image size 183456, cbSize 183510, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):183510
                                                  Entropy (8bit):5.556020063769881
                                                  Encrypted:false
                                                  SSDEEP:3072:6Sv2XACrsCmcuRGDpKiVarMsILpZTjDuD:rv2tNRdn5hpZvQ
                                                  MD5:1C4B3140D22A2921DC9E023E3E68963E
                                                  SHA1:0D4F280950E2221F30D40DF40A14C496FD5B9723
                                                  SHA-256:4F7D1D27980D902757136771413B5B9E681D7D5664259F8C0914DAEF986F1614
                                                  SHA-512:F0615BDA954AA84B871237F7BD64046BB99CAD7EE1CB43C28917B13EB5EC08120E659138C721A660D8B00567E00B79BB6C9384ED30E8EB522D84617177642037
                                                  Malicious:false
                                                  Preview:BM........6...(...8...................................Y,.]..[,.U(.Y+.Y*.V).V(.S&.W(.V(.V).Y*.[,.\-.U(.]..U(.W).W).X*.R%.X*.S'.X*.S&.S&.V).V(.T&.T'.V).T'.N#.X).X+.T&.S'.S&.S&.V(.V*.V(.U).R%.U(.P%.S'.S'.T'.U'.U).X*.X+.V).S'.T(.U(.X).b1.]..T'.P$.S&.T(.V+.Y,.Q%.R(.U).T(.R%.T(.V).P%.S'.S'.S&.U).U).V*.T'.R&.Q'.O$.T(.S(.N#.S'.S(.T'.S(.M#.S(.X,.Q'.P%.R'.N$.P'.O%.K".Q&.N%.R(.M$.M$.L#.L#.M#.R).K#.O&.Q'.N%.M#.N$.T'.O%.Q'.U).R(.R(.Q(.T+.U+.X..T+.T*.U+.W,.T+.S*.W-.R).U+.U+.U-.V-.R).S+.Q).T*.Q).T+.W,.P(.T+.U,.R).Q).Q*.Q).Q).T+.X..S*.Q*.N'.O(.Q).U-.T,.R*.S+.R*.R).Q*.P(.Q+.P'.S,.T-.R+.P,.P+.P,.M(.P(.R,.Q+.P*.Q).V..R,.T,.N).Q+.R+.T..L(.C&.<$.8 .:#.:#.<%.<#.6..@'.8!.5..5..:".8!.@'.;$.9#.:#.9!.>$.7 .;#.<$.;#.D).<#.6..;#.=$.;$.=$.8..:".;#.:!.8".9!.<#.<$.<#.<%.:#.;#.;".9!.<$.<$.:!.<$.;#.<#.:!.E).A(.>%.<$.:#.:".:#.>&.<$.<$.=%.=%.;$.C(.@&.?'.;$.=$.<".>%.8!.;#.9!.>%.<$.>&.>&.;$.=$.>$.<$.A'.?%.6..:".?%.:".:".<#.@&.:#.:#.=$.:".?$.:!.B'.>$.<#.>$.D'.9!.@%.@%.?&.=$.=$.=#.;".:".>#.@'.>%.>%.?&.?$.>%.>$.?$.c3.R%.W(.R
                                                  Process:C:\Users\user\Desktop\211.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):687517
                                                  Entropy (8bit):7.999653084247243
                                                  Encrypted:true
                                                  SSDEEP:12288:nAPtAe/2ByNkI6K8Pi7GMskNEkzJ0x1d2GpSI5EwLtwun3aPh:nEtAemv+hNZGTds9UtwgqPh
                                                  MD5:4B7109E2F77FF15219B81079DF8C12B2
                                                  SHA1:AB3BF417AF304B83CD49707E399BC06E1E10D519
                                                  SHA-256:BE7A0A59B36299F40D6AC2FC126ACFD6C8BBFF8C4F8D9D85267DF3E2E1E3AED3
                                                  SHA-512:770EBECF21AAD663BB27F7800AE476FF3B9EF444FF661916CB50E65AE4987DDE7413E4AE83FD152C47A296C13E41D4544AED3C780F0F5958BB605F57016537E7
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 73%
                                                  Preview:MZKERNEL32.DLL..LoadLibraryA....GetProcAddress..UpackByDwing@...PE..L..................!...9.`..........`X.......p......................................................................,[..q....[..............................H........................................................................................Upack..............................`....rsrc............{..................`........[...............Z...Z...Z...Z...Z.......Z...Z...X.......[.......Y......|...........u...............................*..T...h........Zx.)1Y"F..,...L..F.4."W|..5P......A...c]...J..X.;/.T..|...~.d.W..........(k.../.!.y..0Kol.Ty..N...yg....-.GI....@.c..g:...!.Oo..j..N.h6x..9)B.Iw.4Z}..g.CCN......X...:.`......!y.p.^=..;..!.......83..W..W...h.?$R.Q....$..+......... 6....3..i...<.Z.\...r.T....,.).s..~.V.......^].k.[....bQ....+Y.';C.._.R. fq......y..X.8t2.J.....4B...m.....A...a.8..F....51mt6e..Yec..A...q......:..)..l.O!.S..8.f..X....k.....!B..Z<.\.C....kc(...0..#.M}+@..X.g;P..r....x.
                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):6.520542760696454
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:211.exe
                                                  File size:5'214'208 bytes
                                                  MD5:f7c96ff131b356fe164c8d666c0f3b46
                                                  SHA1:7468349a73f810bcf320dd6ae65cb46fc81a9c10
                                                  SHA256:fb2812b22e399ad46d1c3da512199be1647ad932dd5c0166d58be87cde3e1876
                                                  SHA512:3ed0e90e947e80af53b74b0e6fbaca4ba4de5005eb066d6a975fc3455320b6e48a8fca7858916769ab1f38143e8a3a63f1452d5568fe5d3728d04e80f583d470
                                                  SSDEEP:98304:Br7X73KcrCU3KoRdqPU4RRXuDuDRRXuDuQ:B/j0ounXuDKnXuDz
                                                  TLSH:4A367B036612C866D2112BF825B1E378D6780FE47C3A87539BF0FCA7BD71A935E26485
                                                  File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L..A............s.......g.......g...........$...^...$...j.......................>...c...>...................i...............S..
                                                  Icon Hash:0f4de1ab8d45c74d
                                                  Entrypoint:0x52dcc8
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                  DLL Characteristics:
                                                  Time Stamp:0x66FBDAC3 [Tue Oct 1 11:19:31 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:04c7a30e342800eb893154d4d8d3104c
                                                  Instruction
                                                  push ebp
                                                  mov ebp, esp
                                                  push FFFFFFFFh
                                                  push 007C7C88h
                                                  push 00530B34h
                                                  mov eax, dword ptr fs:[00000000h]
                                                  push eax
                                                  mov dword ptr fs:[00000000h], esp
                                                  sub esp, 58h
                                                  push ebx
                                                  push esi
                                                  push edi
                                                  mov dword ptr [ebp-18h], esp
                                                  call dword ptr [005503E8h]
                                                  xor edx, edx
                                                  mov dl, ah
                                                  mov dword ptr [00826EACh], edx
                                                  mov ecx, eax
                                                  and ecx, 000000FFh
                                                  mov dword ptr [00826EA8h], ecx
                                                  shl ecx, 08h
                                                  add ecx, edx
                                                  mov dword ptr [00826EA4h], ecx
                                                  shr eax, 10h
                                                  mov dword ptr [00826EA0h], eax
                                                  push 00000001h
                                                  call 00007F8BD4C6FDA7h
                                                  pop ecx
                                                  test eax, eax
                                                  jne 00007F8BD4C69D8Ah
                                                  push 0000001Ch
                                                  call 00007F8BD4C69E48h
                                                  pop ecx
                                                  call 00007F8BD4C6FB52h
                                                  test eax, eax
                                                  jne 00007F8BD4C69D8Ah
                                                  push 00000010h
                                                  call 00007F8BD4C69E37h
                                                  pop ecx
                                                  xor esi, esi
                                                  mov dword ptr [ebp-04h], esi
                                                  call 00007F8BD4C6F980h
                                                  call dword ptr [00550358h]
                                                  mov dword ptr [0082C0E4h], eax
                                                  call 00007F8BD4C6F83Eh
                                                  mov dword ptr [00826E18h], eax
                                                  call 00007F8BD4C6F5E7h
                                                  call 00007F8BD4C6F529h
                                                  call 00007F8BD4C6E45Ah
                                                  mov dword ptr [ebp-30h], esi
                                                  lea eax, dword ptr [ebp-5Ch]
                                                  push eax
                                                  call dword ptr [005501C8h]
                                                  call 00007F8BD4C6F4BAh
                                                  mov dword ptr [ebp-64h], eax
                                                  test byte ptr [ebp-30h], 00000001h
                                                  je 00007F8BD4C69D88h
                                                  movzx eax, word ptr [ebp+00h]
                                                  Programming Language:
                                                  • [C++] VS98 (6.0) SP6 build 8804
                                                  • [ C ] VS98 (6.0) SP6 build 8804
                                                  • [C++] VS98 (6.0) build 8168
                                                  • [ C ] VS98 (6.0) build 8168
                                                  • [EXP] VC++ 6.0 SP5 build 8804
                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0c380x12c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x42d0000x10ce8c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1500000x7d8.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x14ef9e0x14f000c9cb067c90ba074082bf1bdbc038968bFalse0.4092962919776119data6.422188622910651IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x1500000x2834c40x284000361f3ba8b4a7e8ac68403aa8c9d602d5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x3d40000x580ea0x180005ac9ea36473584074a110fc722e89bf9False0.3038736979166667data5.056593982654259IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x42d0000x10ce8c0x10d000d3bdacf806d2791faee1b46de24170ebFalse0.42529569150789964data5.2836179081265IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  TEXTINCLUDE0x42db9c0xbASCII text, with no line terminatorsChineseChina1.7272727272727273
                                                  TEXTINCLUDE0x42dba80x16dataChineseChina1.3636363636363635
                                                  TEXTINCLUDE0x42dbc00x151C source, ASCII text, with CRLF line terminatorsChineseChina0.6201780415430267
                                                  RT_CURSOR0x42dd140x134dataChineseChina0.5811688311688312
                                                  RT_CURSOR0x42de480x134Targa image data - Map 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
                                                  RT_CURSOR0x42df7c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
                                                  RT_CURSOR0x42e0b00xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
                                                  RT_BITMAP0x42e1640x248Device independent bitmap graphic, 64 x 15 x 4, image size 480ChineseChina0.3407534246575342
                                                  RT_BITMAP0x42e3ac0x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.4444444444444444
                                                  RT_BITMAP0x42e4f00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.26453488372093026
                                                  RT_BITMAP0x42e6480x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2616279069767442
                                                  RT_BITMAP0x42e7a00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2441860465116279
                                                  RT_BITMAP0x42e8f80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.24709302325581395
                                                  RT_BITMAP0x42ea500x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2238372093023256
                                                  RT_BITMAP0x42eba80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.19476744186046513
                                                  RT_BITMAP0x42ed000x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.20930232558139536
                                                  RT_BITMAP0x42ee580x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.18895348837209303
                                                  RT_BITMAP0x42efb00x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404ChineseChina0.34615384615384615
                                                  RT_BITMAP0x42f5940xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
                                                  RT_BITMAP0x42f64c0x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260ChineseChina0.28296703296703296
                                                  RT_BITMAP0x42f7b80x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
                                                  RT_ICON0x42f8fc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640ChineseChina0.26344086021505375
                                                  RT_ICON0x42fbe40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192ChineseChina0.41216216216216217
                                                  RT_ICON0x42fd0c0x108028Device independent bitmap graphic, 512 x 1024 x 32, image size 20971520.4381828308105469
                                                  RT_MENU0x537d340xcdataChineseChina1.5
                                                  RT_MENU0x537d400x284dataChineseChina0.5
                                                  RT_DIALOG0x537fc40x98dataChineseChina0.7171052631578947
                                                  RT_DIALOG0x53805c0x17adataChineseChina0.5185185185185185
                                                  RT_DIALOG0x5381d80xfadataChineseChina0.696
                                                  RT_DIALOG0x5382d40xeadataChineseChina0.6239316239316239
                                                  RT_DIALOG0x5383c00x8aedataChineseChina0.39603960396039606
                                                  RT_DIALOG0x538c700xb2dataChineseChina0.7359550561797753
                                                  RT_DIALOG0x538d240xccdataChineseChina0.7647058823529411
                                                  RT_DIALOG0x538df00xb2dataChineseChina0.6629213483146067
                                                  RT_DIALOG0x538ea40xe2dataChineseChina0.6637168141592921
                                                  RT_DIALOG0x538f880x18cdataChineseChina0.5227272727272727
                                                  RT_STRING0x5391140x50dataChineseChina0.85
                                                  RT_STRING0x5391640x2cdataChineseChina0.5909090909090909
                                                  RT_STRING0x5391900x78dataChineseChina0.925
                                                  RT_STRING0x5392080x1c4dataChineseChina0.8141592920353983
                                                  RT_STRING0x5393cc0x12adataChineseChina0.5201342281879194
                                                  RT_STRING0x5394f80x146dataChineseChina0.6288343558282209
                                                  RT_STRING0x5396400x40dataChineseChina0.65625
                                                  RT_STRING0x5396800x64dataChineseChina0.73
                                                  RT_STRING0x5396e40x1d8dataChineseChina0.6758474576271186
                                                  RT_STRING0x5398bc0x114dataChineseChina0.6376811594202898
                                                  RT_STRING0x5399d00x24dataChineseChina0.4444444444444444
                                                  RT_GROUP_CURSOR0x5399f40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                  RT_GROUP_CURSOR0x539a080x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                  RT_GROUP_CURSOR0x539a1c0x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
                                                  RT_GROUP_ICON0x539a400x14Targa image data - Map 32 x 32808 x 161.1
                                                  RT_GROUP_ICON0x539a540x14dataChineseChina1.2
                                                  RT_GROUP_ICON0x539a680x14dataChineseChina1.25
                                                  RT_VERSION0x539a7c0x240dataChineseChina0.5642361111111112
                                                  RT_MANIFEST0x539cbc0x1cdXML 1.0 document, ASCII text, with very long lines (461), with no line terminators0.5878524945770065
                                                  DLLImport
                                                  WINMM.dllmidiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutGetNumDevs
                                                  WS2_32.dllWSAAsyncSelect, closesocket, send, select, WSAStartup, inet_ntoa, recvfrom, ioctlsocket, recv, getpeername, accept, WSACleanup, ntohl
                                                  RASAPI32.dllRasGetConnectStatusA, RasHangUpA
                                                  KERNEL32.dllMultiByteToWideChar, SetLastError, GetTimeZoneInformation, OpenProcess, TerminateThread, FileTimeToSystemTime, CreateMutexA, ReleaseMutex, SuspendThread, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, LocalFree, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GetDriveTypeA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, SetFileAttributesA, InterlockedExchange, GetFileAttributesA, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, GetVersion
                                                  USER32.dllSetWindowRgn, DestroyAcceleratorTable, GetWindow, GetActiveWindow, SetFocus, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, IsIconic, PeekMessageA, SetMenu, GetMenu, DeleteMenu, GetSystemMenu, DefWindowProcA, GetClassInfoA, IsZoomed, PostQuitMessage, CopyAcceleratorTableA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, ShowWindow, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, CreateAcceleratorTableA, LoadStringA, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, CreateMenu, ModifyMenuA, AppendMenuA, CreatePopupMenu, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, DispatchMessageA, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, UnregisterClassA, GetDesktopWindow, GetClassNameA, GetWindowThreadProcessId, GetDlgItem, GetWindowTextA, CallWindowProcA, CreateWindowExA, RegisterHotKey, UnregisterHotKey, SetWindowTextA, GetSysColorBrush, FindWindowA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow
                                                  GDI32.dllPtVisible, GetViewportExtEx, ExtSelectClipRgn, LineTo, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, RealizePalette, SelectPalette, StretchBlt, CreatePalette, RectVisible, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, CreateRectRgnIndirect, SetBkColor, CreateFontA, TranslateCharsetInfo, MoveToEx, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, TextOutA, ExtTextOutA, Escape, GetTextMetricsA, CreateCompatibleDC, BitBlt, StartPage, StartDocA, DeleteDC, EndDoc, EndPage, GetObjectA, GetStockObject, CreateFontIndirectA, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetSystemPaletteEntries, GetDIBits
                                                  WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                                                  ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegQueryValueA, RegCreateKeyExA, RegOpenKeyA, RegCloseKey
                                                  SHELL32.dllShell_NotifyIconA, SHGetSpecialFolderPathA, SHChangeNotify, ShellExecuteA, DragQueryFileA, DragFinish, DragAcceptFiles
                                                  ole32.dllCLSIDFromProgID, OleRun, CoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize
                                                  OLEAUT32.dllVariantChangeType, VariantClear, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElement, VariantCopyInd, VariantInit, SysAllocString, SafeArrayDestroy, SafeArrayGetDim, SafeArrayCreate, SafeArrayUnaccessData, UnRegisterTypeLib, LoadTypeLib, LHashValOfNameSys, RegisterTypeLib, SafeArrayPutElement, SafeArrayAccessData
                                                  COMCTL32.dllImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_EndDrag
                                                  WININET.dllInternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetReadFile
                                                  comdlg32.dllChooseColorA, GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA
                                                  Language of compilation systemCountry where language is spokenMap
                                                  ChineseChina
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 20, 2024 09:14:41.958843946 CET4970180192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:41.959075928 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:41.966351032 CET804970142.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:41.966464043 CET4970180192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:41.966470957 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:41.966519117 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:41.975564003 CET4970180192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:41.975687027 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:41.983269930 CET804970142.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:41.983282089 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.924791098 CET804970142.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.924808025 CET804970142.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.924820900 CET804970142.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.924832106 CET804970142.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.924843073 CET804970142.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.924854040 CET4970180192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:42.924877882 CET4970180192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:42.930464029 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.930475950 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.930486917 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.930500984 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.930511951 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:42.930522919 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:42.930552006 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:42.930574894 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:48.967726946 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:48.975625992 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:49.384237051 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:49.384248972 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:49.384259939 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:49.384270906 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:49.384283066 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:49.384309053 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:49.384339094 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:49.384975910 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:49.385025024 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:55.982682943 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:55.989070892 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:56.362138033 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:56.362185955 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:56.362263918 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:57.556624889 CET4970980192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:57.562856913 CET804970942.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:57.563028097 CET4970980192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:57.563194036 CET4970980192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:57.569734097 CET804970942.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:57.999053955 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:58.006613970 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:58.006714106 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:58.006886959 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:58.013859034 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:58.592386007 CET804970942.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:58.592411041 CET804970942.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:58.592427015 CET804970942.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:58.592441082 CET804970942.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:58.592456102 CET804970942.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:58.592495918 CET4970980192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:58.592535973 CET4970980192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:59.070246935 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:59.070266962 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:59.070281982 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:59.070297003 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:59.070313931 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:14:59.070389986 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:14:59.070435047 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:15:04.842345953 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:15:04.849807024 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:15:05.251256943 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:15:05.251280069 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:15:05.251296997 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:15:05.251332998 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:15:05.251348019 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:15:05.251374006 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:15:05.251415014 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:15:12.184937000 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:15:12.190726042 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:15:12.602588892 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:15:12.602605104 CET804971042.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:15:12.602678061 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:15:12.602713108 CET4971080192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:16:31.919008017 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:16:31.919079065 CET4970180192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:16:31.924443960 CET804970242.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:16:31.924541950 CET4970280192.168.2.1042.193.100.57
                                                  Nov 20, 2024 09:16:31.924588919 CET804970142.193.100.57192.168.2.10
                                                  Nov 20, 2024 09:16:31.924644947 CET4970180192.168.2.1042.193.100.57
                                                  • 42.193.100.57
                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.104970142.193.100.57806600C:\Users\user\Desktop\211.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 20, 2024 09:14:41.975564003 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:14:42.924791098 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:14:42 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:14:42.924808025 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:14:42.924820900 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                  Data Ascii: 2III322
                                                  Nov 20, 2024 09:14:42.924832106 CET672INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                  Data Ascii: ORPG2
                                                  Nov 20, 2024 09:14:42.924843073 CET983INData Raw: c2 bd 4f 52 50 47 b6 a8 d6 c6 0d 0a b6 b7 bb ea b4 f3 c2 bd 4f 52 50 47 b3 c9 be cd 0d 0a bf e0 b9 a4 56 53 cb c2 c9 ae 32 0d 0a ce fc d1 aa b9 ed d0 d2 b4 e6 d5 df 32 0d 0a be d9 c9 f1 ce aa b5 d0 32 0d 0a b5 f6 d3 e3 c9 fa b4 e6 0d 0a ba da c9
                                                  Data Ascii: ORPGORPGVS2222100TD


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.104970242.193.100.57806600C:\Users\user\Desktop\211.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 20, 2024 09:14:41.975687027 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:14:42.930464029 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:14:42 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:14:42.930475950 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:14:42.930486917 CET448INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                  Data Ascii: 2III322
                                                  Nov 20, 2024 09:14:42.930500984 CET1236INData Raw: 0d 0a cb e9 bf d5 d6 f7 d4 d7 0d 0a 38 2e 32 36 d7 a2 d2 e2 ca c2 cf ee 0d 0a bd f8 bb af d2 bb cd b7 d6 ed 0d 0a d2 bb b8 f9 cf c9 bc f5 c9 d9 d5 bd c1 a6 0d 0a c9 a5 ca ac b3 f6 c1 fd 0d 0a c3 fe d3 e3 b7 e8 bf f1 cc d4 bd f0 0d 0a d2 bb b8 f9
                                                  Data Ascii: 8.264FORPG2
                                                  Nov 20, 2024 09:14:42.930511951 CET1207INData Raw: cc ec d6 ae e1 db 0d 0a c4 a7 ca de d5 f7 d5 bd ca a6 0d 0a d5 da cc ec c8 fd b2 bf c7 fa 0d 0a cb de c3 fc c2 d6 bb d8 0d 0a ce e1 c3 fb ce aa bb c4 0d 0a df c7 df c7 c2 d2 c9 b1 0d 0a c9 a5 ca ac b5 ba 0d 0a d2 bb bf c3 ca f7 0d 0a d2 bb b8 f9
                                                  Data Ascii: X222ORPG
                                                  Nov 20, 2024 09:14:48.967726946 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:14:49.384237051 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:14:48 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:14:49.384248972 CET224INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:14:49.384259939 CET1236INData Raw: 0d 0a ce d2 d2 aa b4 f2 bd a9 ca ac 0d 0a d2 bb c9 ed d1 fd d7 b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce
                                                  Data Ascii: 2II2T
                                                  Nov 20, 2024 09:14:49.384270906 CET1236INData Raw: ae c3 fc d4 cb 0d 0a ca ae b5 ee d1 d6 c2 de 32 d7 a8 cb a2 c8 a8 cf de 0d 0a d0 a1 d0 a1 bd a3 ca a5 d7 a8 cb a2 c8 a8 cf de 0d 0a d2 bb c4 ee cd a8 cc ec d7 a8 cb a2 c8 a8 cf de 0d 0a cb c4 c9 fa ca d3 bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a b7 e7
                                                  Data Ascii: 2F38.26
                                                  Nov 20, 2024 09:14:49.384283066 CET1236INData Raw: af 0d 0a b7 e8 bf f1 b4 f2 bd f0 0d 0a cc b0 c0 b7 bf f3 bf d3 0d 0a c7 f3 cf c9 cc ec b5 c0 54 44 0d 0a b3 d4 ca e9 c9 fa b4 e6 0d 0a ba da bb ea c6 f4 ca be c2 bc 0d 0a ce d2 d4 da c3 f7 c4 a9 b5 b1 bd ab be fc 0d 0a be f8 ca c0 ce e4 bb ea 0d
                                                  Data Ascii: TD7
                                                  Nov 20, 2024 09:14:49.384975910 CET195INData Raw: d2 bb c9 ed c9 f1 d7 b0 33 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d5 b6 d4 c2 cd c0 c1 fa 0d 0a d0 fe bb f0 b2 d4 f1 b7 0d 0a d3 a2 d0 db c2 b7 0d 0a be fc cd c5 d5 bd d5 f9 35 0d 0a b0 b5 ba da d1 ad bb b7 c8 a6 0d 0a c3 ce bc a3 c9 b3 ba d3 32 0d
                                                  Data Ascii: 35222
                                                  Nov 20, 2024 09:14:55.982682943 CET164OUTGET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:14:56.362138033 CET1236INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:14:56 GMT
                                                  Content-Length: 1163
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]
                                                  Nov 20, 2024 09:14:56.362185955 CET64INData Raw: dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: </h3> </fieldset></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.104970942.193.100.57805408C:\Users\user\Desktop\211.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 20, 2024 09:14:57.563194036 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:14:58.592386007 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:14:58 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:14:58.592411041 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:14:58.592427015 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                  Data Ascii: 2III322
                                                  Nov 20, 2024 09:14:58.592441082 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                  Data Ascii: ORPG2
                                                  Nov 20, 2024 09:14:58.592456102 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                  Data Ascii: 242323


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.104971042.193.100.57805408C:\Users\user\Desktop\211.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 20, 2024 09:14:58.006886959 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:14:59.070246935 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:14:58 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:14:59.070266962 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:14:59.070281982 CET448INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                  Data Ascii: 2III322
                                                  Nov 20, 2024 09:14:59.070297003 CET1236INData Raw: 0d 0a cb e9 bf d5 d6 f7 d4 d7 0d 0a 38 2e 32 36 d7 a2 d2 e2 ca c2 cf ee 0d 0a bd f8 bb af d2 bb cd b7 d6 ed 0d 0a d2 bb b8 f9 cf c9 bc f5 c9 d9 d5 bd c1 a6 0d 0a c9 a5 ca ac b3 f6 c1 fd 0d 0a c3 fe d3 e3 b7 e8 bf f1 cc d4 bd f0 0d 0a d2 bb b8 f9
                                                  Data Ascii: 8.264FORPG2
                                                  Nov 20, 2024 09:14:59.070313931 CET1207INData Raw: cc ec d6 ae e1 db 0d 0a c4 a7 ca de d5 f7 d5 bd ca a6 0d 0a d5 da cc ec c8 fd b2 bf c7 fa 0d 0a cb de c3 fc c2 d6 bb d8 0d 0a ce e1 c3 fb ce aa bb c4 0d 0a df c7 df c7 c2 d2 c9 b1 0d 0a c9 a5 ca ac b5 ba 0d 0a d2 bb bf c3 ca f7 0d 0a d2 bb b8 f9
                                                  Data Ascii: X222ORPG
                                                  Nov 20, 2024 09:15:04.842345953 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:15:05.251256943 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:15:05 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:15:05.251280069 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:15:05.251296997 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                  Data Ascii: 2III322
                                                  Nov 20, 2024 09:15:05.251332998 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                  Data Ascii: ORPG2
                                                  Nov 20, 2024 09:15:05.251348019 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                  Data Ascii: 242323
                                                  Nov 20, 2024 09:15:12.184937000 CET164OUTGET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:15:12.602588892 CET1236INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:15:12 GMT
                                                  Content-Length: 1163
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]
                                                  Nov 20, 2024 09:15:12.602605104 CET64INData Raw: dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: </h3> </fieldset></div></div></body></html>


                                                  Click to jump to process

                                                  Click to jump to process

                                                  Click to dive into process behavior distribution

                                                  Click to jump to process

                                                  Target ID:0
                                                  Start time:03:14:38
                                                  Start date:20/11/2024
                                                  Path:C:\Users\user\Desktop\211.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\211.exe"
                                                  Imagebase:0x400000
                                                  File size:5'214'208 bytes
                                                  MD5 hash:F7C96FF131B356FE164C8D666C0F3B46
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  Target ID:5
                                                  Start time:03:14:55
                                                  Start date:20/11/2024
                                                  Path:C:\Users\user\Desktop\211.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\211.exe"
                                                  Imagebase:0x400000
                                                  File size:5'214'208 bytes
                                                  MD5 hash:F7C96FF131B356FE164C8D666C0F3B46
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:7.9%
                                                    Dynamic/Decrypted Code Coverage:47.8%
                                                    Signature Coverage:35.3%
                                                    Total number of Nodes:742
                                                    Total number of Limit Nodes:19
                                                    execution_graph 23503 10027c00 GetProcessHeap HeapReAlloc HeapAlloc 23506 10027008 6 API calls 23507 4ccc40 130 API calls 23508 10029610 FreeLibrary 23571 10026f15 21 API calls 23512 10027218 30 API calls 23493 4b1250 23494 4b125c 23493->23494 23499 4b126c 23493->23499 23502 4b1320 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 23494->23502 23496 4b1266 23497 4b12ea RtlAllocateHeap 23500 4b1301 23497->23500 23498 4b12df GetProcessHeap 23498->23497 23499->23497 23499->23498 23501 4b1274 23499->23501 23502->23496 23513 10026c1e 22 API calls 23514 1001221f 70 API calls 23517 4ccc60 143 API calls 23518 10026e2e 34 API calls 23576 10026f34 34 API calls 23577 10026d35 85 API calls 23521 100249fb 24 API calls 23522 10026c3d 21 API calls 22612 10027c40 22613 10027c86 22612->22613 22614 10027c4d 22612->22614 22615 10027c56 22614->22615 22616 10027c5b 22614->22616 22620 10027ae0 GetModuleHandleA 22615->22620 22616->22613 22617 10027c6b IsBadReadPtr 22616->22617 22617->22613 22619 10027c78 RtlFreeHeap 22617->22619 22619->22613 22620->22616 22932 10027a50 22933 10027a61 22932->22933 22934 10027a8a 22932->22934 22933->22934 22935 10027a64 22933->22935 22950 10026b52 ReleaseMutex 22934->22950 22944 10027aa0 GetProcessHeap 22935->22944 22939 10027a9b 22943 10027a85 22945 10027a6f 22944->22945 22946 10029790 22945->22946 22951 10027474 22946->22951 22949 10026b52 ReleaseMutex 22949->22943 22950->22939 22952 1002747c 22951->22952 22955 10018a96 22952->22955 22954 10027481 22954->22949 22956 10018aab 22955->22956 22959 10018ad3 22956->22959 22958 10018ab0 22958->22954 22960 10018aee 22959->22960 23006 10018eea CreateMutexA 22960->23006 22962 10018af3 22963 10018eea CreateMutexA 22962->22963 22964 10018afd HeapCreate 22963->22964 22965 10018b23 22964->22965 22966 10018b3a HeapCreate 22964->22966 22965->22966 22967 10018b60 22966->22967 23008 1000188f 22967->23008 22969 10018bc0 23014 1000b61e 22969->23014 22971 10018bdc 22972 1000188f 17 API calls 22971->22972 22973 10018c3b 22972->22973 22974 1000b61e 7 API calls 22973->22974 22975 10018c57 22974->22975 22976 1000188f 17 API calls 22975->22976 22977 10018cb6 22976->22977 22978 1000b61e 7 API calls 22977->22978 22979 10018cd2 22978->22979 22980 1000188f 17 API calls 22979->22980 22981 10018d31 22980->22981 22982 1000b61e 7 API calls 22981->22982 22983 10018d4d 22982->22983 22984 1000188f 17 API calls 22983->22984 22985 10018dac 22984->22985 22986 1000b61e 7 API calls 22985->22986 22987 10018dc8 22986->22987 23020 1000710e 22987->23020 22989 10018df2 23030 10018f34 22989->23030 22991 10018dfc 23044 100191e3 22991->23044 22993 10018e06 23056 1000ff10 22993->23056 22995 10018e37 23065 100114f9 22995->23065 22997 10018e43 22998 1000ff10 18 API calls 22997->22998 22999 10018e8f 22998->22999 23000 100114f9 18 API calls 22999->23000 23001 10018e9b 23000->23001 23071 10019f4c 23001->23071 23005 10018ecc 23005->22958 23007 10018f14 23006->23007 23007->22962 23012 100018bd 23008->23012 23009 10001ac2 23082 100283f0 23009->23082 23012->23009 23109 10028090 _CIfmod 23012->23109 23013 10001ae8 23013->22969 23015 1000b631 23014->23015 23121 1000b75c 23015->23121 23017 1000b65c 23018 1000b6cb LdrGetDllHandleEx 23017->23018 23019 1000b6ee 23018->23019 23019->22971 23021 10007121 23020->23021 23022 100071de GetVersionExA 23021->23022 23023 10007273 23022->23023 23144 10027ca0 23023->23144 23025 100072d2 23026 10007362 GetSystemInfo 23025->23026 23029 100074c6 23025->23029 23027 100073f5 23026->23027 23028 10007495 RtlGetNtVersionNumbers 23027->23028 23028->23029 23029->22989 23031 10018f4e 23030->23031 23033 10018f7e 23031->23033 23152 100289c0 23031->23152 23033->22991 23034 10018fad 23035 1000b61e 7 API calls 23034->23035 23036 10019053 23035->23036 23037 1000188f 17 API calls 23036->23037 23038 10019077 23037->23038 23039 10019081 23038->23039 23157 10006051 LdrGetProcedureAddress 23039->23157 23041 1001918a 23041->23033 23042 100190a4 23042->23041 23158 10001d56 IsBadCodePtr 23042->23158 23045 10019205 23044->23045 23047 10019212 23045->23047 23160 100188e1 23045->23160 23047->22993 23048 10019221 23165 100193c2 23048->23165 23050 100192bd 23051 100193c2 38 API calls 23050->23051 23052 10019331 23051->23052 23185 100198cc 25 API calls 23052->23185 23054 1001936a 23186 100198cc 25 API calls 23054->23186 23223 10027f20 23056->23223 23058 1000ff39 23059 10027f20 4 API calls 23058->23059 23060 1000ff58 23059->23060 23061 1000ffe0 RtlComputeCrc32 23060->23061 23062 10010003 23061->23062 23236 10010057 23062->23236 23064 10010034 23064->22995 23066 1001150f 23065->23066 23067 10011520 23065->23067 23068 1000188f 17 API calls 23066->23068 23069 10001d56 IsBadCodePtr 23067->23069 23068->23067 23070 1001161a 23069->23070 23070->22997 23072 10018ec7 23071->23072 23073 10019f74 23071->23073 23081 1001a236 47 API calls 23072->23081 23259 10019ff3 23073->23259 23077 10019fd3 23268 10007fdd 23077->23268 23079 10019fa2 23079->23077 23080 1001a0ce 21 API calls 23079->23080 23080->23079 23081->23005 23083 10028478 23082->23083 23092 1002840f 23082->23092 23084 10028483 23083->23084 23085 10028574 23083->23085 23086 10028489 23084->23086 23087 1002854f sprintf 23084->23087 23088 100285f2 23085->23088 23089 1002857b 23085->23089 23093 10028674 23086->23093 23098 10028517 23086->23098 23099 100284f9 23086->23099 23100 1002849e 23086->23100 23101 1002858f sprintf 23086->23101 23087->23100 23090 1002862a sprintf 23088->23090 23091 100285f9 23088->23091 23094 100285ce sprintf 23089->23094 23095 1002857d 23089->23095 23090->23100 23091->23093 23096 10028604 sprintf 23091->23096 23092->23093 23110 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23092->23110 23093->23013 23094->23100 23102 10028584 23095->23102 23103 100285ae sprintf 23095->23103 23096->23100 23112 10029dc0 6 API calls 23098->23112 23111 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23099->23111 23100->23093 23113 10027bb0 23100->23113 23101->23100 23102->23093 23102->23101 23103->23100 23106 10028469 23106->23013 23107 10028508 23107->23013 23109->23012 23110->23106 23111->23107 23112->23100 23114 10027bc4 RtlAllocateHeap 23113->23114 23115 10027bb9 GetProcessHeap 23113->23115 23116 10027bf5 23114->23116 23117 10027bd9 MessageBoxA 23114->23117 23115->23114 23116->23093 23120 10027b10 ExitProcess 23117->23120 23119 10027bf2 23119->23116 23120->23119 23122 1000b76f 23121->23122 23125 1000210d 23122->23125 23124 1000b7c1 23124->23017 23126 1000212e 23125->23126 23127 10002149 MultiByteToWideChar 23126->23127 23128 10002178 23127->23128 23136 100021b9 23128->23136 23137 100280c0 23128->23137 23130 100021dc 23131 1000220e MultiByteToWideChar 23130->23131 23132 10002239 23131->23132 23132->23136 23142 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23132->23142 23134 100022ce 23134->23136 23143 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23134->23143 23136->23124 23138 100280c9 23137->23138 23139 100280cd 23137->23139 23138->23130 23140 10027bb0 4 API calls 23139->23140 23141 100280d6 23140->23141 23141->23130 23142->23134 23143->23136 23145 10027cb1 23144->23145 23148 10027cb6 23144->23148 23151 10027ae0 GetModuleHandleA 23145->23151 23147 10027d14 23147->23025 23148->23147 23149 10027bb0 4 API calls 23148->23149 23150 10027cf9 23149->23150 23150->23025 23151->23148 23153 100289c9 23152->23153 23154 100289cd 23152->23154 23153->23034 23155 10027bb0 4 API calls 23154->23155 23156 100289d8 23155->23156 23156->23034 23157->23042 23159 10001d82 23158->23159 23159->23041 23161 100289c0 4 API calls 23160->23161 23162 1001890c 23161->23162 23163 10018926 GetSystemDirectoryA 23162->23163 23164 10018944 23163->23164 23164->23048 23166 100193ea 23165->23166 23187 100294c0 23166->23187 23168 10019463 23169 1001947d CopyFileA 23168->23169 23170 100194a0 23169->23170 23194 10028d40 CreateFileA 23170->23194 23172 100194da 23173 10028d40 8 API calls 23172->23173 23174 10019550 23172->23174 23173->23174 23199 10028e50 DeleteFileA 23174->23199 23176 1001959d 23200 10006495 23176->23200 23178 100195b3 23179 100195e3 RtlAllocateHeap 23178->23179 23182 10019832 23178->23182 23180 1001960e 23179->23180 23206 10008edd 23180->23206 23182->23050 23184 1001966e 23214 100094fb 23184->23214 23185->23054 23186->23047 23188 100294d1 GetTempPathA 23187->23188 23189 100294e5 23187->23189 23188->23189 23190 10029543 GetTickCount wsprintfA PathFileExistsA 23189->23190 23190->23190 23191 1002956b 23190->23191 23192 10027bb0 4 API calls 23191->23192 23193 1002957f 23192->23193 23193->23168 23195 10028d64 GetFileSize 23194->23195 23196 10028da9 23194->23196 23197 10027bb0 4 API calls 23195->23197 23196->23172 23198 10028d7d ReadFile CloseHandle 23197->23198 23198->23196 23199->23176 23202 100064ad 23200->23202 23201 1000679e 23201->23178 23202->23201 23203 1000652f RtlMoveMemory 23202->23203 23204 10006669 23203->23204 23205 10027ca0 5 API calls 23204->23205 23205->23201 23207 10008f03 23206->23207 23209 10009276 23207->23209 23218 10028720 25 API calls 23207->23218 23209->23184 23210 100090c4 23211 1000918c RtlMoveMemory 23210->23211 23213 1000919b 23211->23213 23212 10027ca0 5 API calls 23212->23213 23213->23209 23213->23212 23215 10009546 23214->23215 23217 10009658 23215->23217 23219 10009db8 23215->23219 23217->23182 23218->23210 23220 10009dd2 23219->23220 23221 10008edd 26 API calls 23220->23221 23222 10009f35 23220->23222 23221->23222 23222->23217 23224 10027f40 23223->23224 23226 10027f80 23224->23226 23227 10027f4c 23224->23227 23225 10027feb 23225->23058 23226->23225 23228 10027fc2 23226->23228 23229 10027f9b 23226->23229 23244 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23227->23244 23246 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23228->23246 23245 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23229->23245 23232 10027fb8 23232->23058 23233 10027f76 23233->23058 23235 10027fe1 23235->23058 23237 1001006f 23236->23237 23238 100283f0 16 API calls 23237->23238 23239 10010097 23238->23239 23247 10028ad0 23239->23247 23241 100100cc 23254 10028b30 23241->23254 23243 10010173 23243->23064 23244->23233 23245->23232 23246->23235 23248 10028b23 23247->23248 23249 10028ae4 23247->23249 23248->23241 23249->23248 23250 10027bb0 4 API calls 23249->23250 23251 10028afa 23250->23251 23252 10028b05 strncpy 23251->23252 23253 10028b19 23251->23253 23252->23252 23252->23253 23253->23241 23255 10028b91 23254->23255 23256 10028b45 23254->23256 23255->23243 23256->23255 23257 10027bb0 4 API calls 23256->23257 23258 10028b68 23257->23258 23258->23243 23260 1001a00d 23259->23260 23273 1001a031 23260->23273 23263 1001a0ce 23264 10027f20 4 API calls 23263->23264 23265 1001a0f7 23264->23265 23288 1001a199 23265->23288 23267 1001a16d 23267->23079 23269 100280c0 4 API calls 23268->23269 23270 1000800f 23269->23270 23299 10007db8 23270->23299 23272 10008052 23272->23072 23274 1001a047 23273->23274 23282 1001a0a1 23273->23282 23275 1000188f 17 API calls 23274->23275 23278 1001a058 23275->23278 23277 10019f88 23277->23072 23277->23263 23287 100031b3 6 API calls 23278->23287 23280 1001a074 23281 1001a087 InterlockedExchange 23280->23281 23281->23282 23283 10004b1b 23282->23283 23284 10004b3d 23283->23284 23285 10004b2e 23283->23285 23284->23285 23286 10004baa LdrInitializeThunk 23284->23286 23285->23277 23286->23277 23287->23280 23289 1001a209 23288->23289 23290 1001a1af 23288->23290 23291 10004b1b LdrInitializeThunk 23289->23291 23292 1000188f 17 API calls 23290->23292 23293 1001a22b 23291->23293 23294 1001a1c0 23292->23294 23293->23267 23298 100031b3 6 API calls 23294->23298 23296 1001a1dc 23297 1001a1ef InterlockedExchange 23296->23297 23297->23289 23298->23296 23300 10007dce 23299->23300 23301 10007e28 23299->23301 23302 1000188f 17 API calls 23300->23302 23303 10004b1b LdrInitializeThunk 23301->23303 23304 10007ddf 23302->23304 23305 10007e4a 23303->23305 23309 100031b3 6 API calls 23304->23309 23305->23272 23307 10007dfb 23308 10007e0e InterlockedExchange 23307->23308 23308->23301 23309->23307 23526 10027050 62 API calls 23582 10011753 DispatchMessageA CallWindowProcA 23587 530b34 RtlUnwind 23533 1002706f 46 API calls 23589 10026d73 88 API calls 23590 10026b71 23 API calls 23592 1002572d 23 API calls 23535 10026c7b HeapAlloc 23594 10026f7c 45 API calls 22621 4cc8c0 22624 4cc8a0 22621->22624 22627 4c45f0 22624->22627 22626 4cc8b1 22628 4c461b 22627->22628 22629 4c46b3 22627->22629 22631 4c4643 GetProcAddress 22628->22631 22632 4c463a 22628->22632 22630 4c494c 22629->22630 22633 4c46e1 22629->22633 22708 52e958 6 API calls 22629->22708 22630->22626 22637 4c4696 22631->22637 22638 4c4663 22631->22638 22704 52e958 6 API calls 22632->22704 22646 4c481f 22633->22646 22649 4c470c 22633->22649 22707 4c45d0 35 API calls 22637->22707 22705 4cdd80 37 API calls 22638->22705 22641 4c4824 LoadLibraryA 22644 4c4834 GetProcAddress 22641->22644 22641->22646 22642 4c4673 22706 4c49c0 130 API calls 22642->22706 22643 4c469d 22643->22626 22644->22646 22646->22641 22650 4c487a 22646->22650 22652 4c4866 FreeLibrary 22646->22652 22647 4c4685 22653 53fe81 32 API calls 22647->22653 22648 4c47ea LoadLibraryA 22648->22650 22651 4c47f7 GetProcAddress 22648->22651 22649->22648 22654 4c4738 22649->22654 22655 4c4760 22649->22655 22650->22630 22659 4c488f FreeLibrary 22650->22659 22660 4c4896 22650->22660 22651->22650 22657 4c4807 22651->22657 22652->22646 22653->22637 22658 5400ca 38 API calls 22654->22658 22689 5400ca 22655->22689 22657->22650 22662 4c4744 LoadLibraryA 22658->22662 22659->22660 22665 4c48fa 22660->22665 22666 4c48a7 22660->22666 22664 53fe81 32 API calls 22662->22664 22663 5400ca 38 API calls 22667 4c478a LoadLibraryA 22663->22667 22671 4c4754 22664->22671 22711 4cdd80 37 API calls 22665->22711 22709 4cdd80 37 API calls 22666->22709 22699 53fe81 22667->22699 22671->22651 22671->22655 22672 4c48bc 22710 4c49c0 130 API calls 22672->22710 22674 4c490e 22712 4c49c0 130 API calls 22674->22712 22676 53fe81 32 API calls 22679 4c47ab 22676->22679 22678 4c48d3 22681 53fe81 32 API calls 22678->22681 22679->22651 22684 4c47e2 22679->22684 22686 5400ca 38 API calls 22679->22686 22680 4c4925 22682 53fe81 32 API calls 22680->22682 22683 4c48e4 22681->22683 22685 4c4936 22682->22685 22683->22626 22684->22648 22684->22651 22685->22626 22687 4c47d2 LoadLibraryA 22686->22687 22688 53fe81 32 API calls 22687->22688 22688->22684 22690 5400d4 __EH_prolog 22689->22690 22691 5400f3 lstrlenA 22690->22691 22692 5400ef 22690->22692 22691->22692 22713 540026 22692->22713 22694 540111 22717 53fbf6 22694->22717 22697 53fe81 32 API calls 22698 4c4776 22697->22698 22698->22663 22700 53fe91 InterlockedDecrement 22699->22700 22701 4c479a 22699->22701 22700->22701 22702 53fe9f 22700->22702 22701->22676 22740 53fd70 31 API calls 22702->22740 22704->22631 22705->22642 22706->22647 22707->22643 22708->22633 22709->22672 22710->22678 22711->22674 22712->22680 22714 540040 22713->22714 22715 54003a 22713->22715 22714->22694 22722 53fcee 22715->22722 22718 53fc13 22717->22718 22719 53fc05 InterlockedIncrement 22717->22719 22739 53ffbe 35 API calls 22718->22739 22720 53fc23 22719->22720 22720->22697 22725 53fd03 22722->22725 22726 53fcfa 22722->22726 22723 53fd0b 22729 52db4c 22723->22729 22725->22723 22727 53fd4a 22725->22727 22726->22714 22736 53fbc2 29 API calls 22727->22736 22737 531534 22729->22737 22731 52db56 EnterCriticalSection 22732 52db74 22731->22732 22733 52dba5 LeaveCriticalSection 22731->22733 22738 53f6ab 29 API calls 22732->22738 22733->22726 22735 52db86 22735->22733 22736->22726 22737->22731 22738->22735 22739->22720 22740->22701 23538 1002708e 33 API calls 23598 10027192 59 API calls 23310 52f5c7 23313 52f5d9 23310->23313 23314 52f5d6 23313->23314 23316 52f5e0 23313->23316 23316->23314 23317 52f605 23316->23317 23318 52f632 23317->23318 23321 52f675 23317->23321 23324 52f660 23318->23324 23335 536404 29 API calls 23318->23335 23320 52f6e4 RtlAllocateHeap 23331 52f667 23320->23331 23323 52f697 23321->23323 23321->23324 23322 52f648 23336 5379b1 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 23322->23336 23338 536404 29 API calls 23323->23338 23324->23320 23324->23331 23327 52f653 23337 52f66c LeaveCriticalSection 23327->23337 23329 52f69e 23339 538454 6 API calls 23329->23339 23331->23316 23332 52f6b1 23340 52f6cb LeaveCriticalSection 23332->23340 23334 52f6be 23334->23324 23334->23331 23335->23322 23336->23327 23337->23324 23338->23329 23339->23332 23340->23334 23601 10026f9b 23 API calls 23367 52dcc8 GetVersion 23399 533d48 HeapCreate 23367->23399 23369 52dd26 23370 52dd33 23369->23370 23371 52dd2b 23369->23371 23411 533b05 37 API calls 23370->23411 23419 52ddf5 8 API calls 23371->23419 23375 52dd38 23376 52dd44 23375->23376 23377 52dd3c 23375->23377 23412 533949 34 API calls 23376->23412 23420 52ddf5 8 API calls 23377->23420 23381 52dd4e GetCommandLineA 23413 533817 37 API calls 23381->23413 23383 52dd5e 23421 5335ca 49 API calls 23383->23421 23385 52dd68 23414 533511 48 API calls 23385->23414 23387 52dd6d 23388 52dd72 GetStartupInfoA 23387->23388 23415 5334b9 48 API calls 23388->23415 23390 52dd84 23391 52dd8d 23390->23391 23392 52dd96 GetModuleHandleA 23391->23392 23416 53d62e 23392->23416 23396 52ddb1 23423 533341 36 API calls 23396->23423 23398 52ddc2 23400 533d68 23399->23400 23401 533d9e 23399->23401 23424 533c00 57 API calls 23400->23424 23401->23369 23403 533d6d 23404 533d77 23403->23404 23405 533d84 23403->23405 23425 537615 HeapAlloc 23404->23425 23407 533da1 23405->23407 23426 53815c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 23405->23426 23407->23369 23409 533d81 23409->23407 23410 533d92 HeapDestroy 23409->23410 23410->23401 23411->23375 23412->23381 23413->23383 23414->23387 23415->23390 23427 545e8b 23416->23427 23421->23385 23422 532474 32 API calls 23422->23396 23423->23398 23424->23403 23425->23409 23426->23409 23428 544bec 65 API calls 23427->23428 23429 545e96 23428->23429 23430 5497bf 65 API calls 23429->23430 23431 545e9d 23430->23431 23438 54a610 SetErrorMode SetErrorMode 23431->23438 23435 52dda8 23435->23422 23436 545ed2 23449 54aecf 68 API calls 23436->23449 23437 53fcee 31 API calls 23437->23436 23439 5497bf 65 API calls 23438->23439 23440 54a627 23439->23440 23441 5497bf 65 API calls 23440->23441 23442 54a636 23441->23442 23443 54a65c 23442->23443 23450 54a673 23442->23450 23445 5497bf 65 API calls 23443->23445 23446 54a661 23445->23446 23447 545eb5 23446->23447 23469 544c01 23446->23469 23447->23436 23447->23437 23449->23435 23451 5497bf 65 API calls 23450->23451 23452 54a686 GetModuleFileNameA 23451->23452 23480 52fc97 29 API calls 23452->23480 23454 54a6b8 23481 54a790 lstrlenA lstrcpynA 23454->23481 23456 54a6d4 23457 54a6ea 23456->23457 23486 53241c 29 API calls 23456->23486 23459 54a724 23457->23459 23482 545771 23457->23482 23460 54a73c lstrcpyA 23459->23460 23461 54a757 23459->23461 23488 53241c 29 API calls 23460->23488 23464 54a766 lstrcatA 23461->23464 23465 54a784 23461->23465 23489 53241c 29 API calls 23464->23489 23465->23443 23470 5497bf 65 API calls 23469->23470 23471 544c06 23470->23471 23472 544c5e 23471->23472 23490 549588 23471->23490 23472->23447 23475 549ddc 7 API calls 23476 544c3c 23475->23476 23477 544c49 23476->23477 23478 5497bf 65 API calls 23476->23478 23479 549d47 65 API calls 23477->23479 23478->23477 23479->23472 23480->23454 23481->23456 23483 5497bf 65 API calls 23482->23483 23484 545777 LoadStringA 23483->23484 23485 545792 23484->23485 23487 53241c 29 API calls 23485->23487 23486->23457 23487->23459 23488->23461 23489->23465 23491 549d47 65 API calls 23490->23491 23492 544c12 GetCurrentThreadId SetWindowsHookExA 23491->23492 23492->23475 23541 10026e99 89 API calls 23544 100274b1 10 API calls 23341 53fbeb 23344 52f4de 23341->23344 23345 52f5b8 23344->23345 23346 52f50c 23344->23346 23347 52f551 23346->23347 23348 52f516 23346->23348 23349 52f542 23347->23349 23364 536404 29 API calls 23347->23364 23361 536404 29 API calls 23348->23361 23349->23345 23351 52f5aa RtlFreeHeap 23349->23351 23351->23345 23353 52f51d 23354 52f537 23353->23354 23362 537688 VirtualFree VirtualFree HeapFree 23353->23362 23363 52f548 LeaveCriticalSection 23354->23363 23355 52f55d 23360 52f589 23355->23360 23365 53840f VirtualFree HeapFree VirtualFree 23355->23365 23366 52f5a0 LeaveCriticalSection 23360->23366 23361->23353 23362->23354 23363->23349 23364->23355 23365->23360 23366->23349 23546 1002a472 __CxxFrameHandler 23547 10026eb8 90 API calls 23548 10026cb9 23 API calls 23551 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23608 10026dc5 30 API calls 22741 4ccc80 22744 4c6680 22741->22744 22743 4ccca5 22745 4c66bc 22744->22745 22746 4c66c0 22745->22746 22748 4c66d2 22745->22748 22846 4c49c0 130 API calls 22746->22846 22749 4c6704 22748->22749 22754 4c687c 22748->22754 22750 4c682f 22749->22750 22751 4c67e1 22749->22751 22752 4c6792 22749->22752 22753 4c6733 22749->22753 22772 4c66cd 22749->22772 22773 4c6a06 22749->22773 22775 4c6914 22749->22775 22777 4c6b10 22749->22777 22785 4c6ab0 22749->22785 22760 4c6867 22750->22760 22761 4c6852 22750->22761 22750->22772 22758 4c681a 22751->22758 22759 4c6805 22751->22759 22751->22772 22756 4c67cc 22752->22756 22757 4c67b7 22752->22757 22752->22772 22847 52eaa4 29 API calls 22753->22847 22755 4c68c0 IsWindow 22754->22755 22769 4c68d6 22754->22769 22755->22769 22851 4c6580 58 API calls 22756->22851 22850 4c6580 58 API calls 22757->22850 22853 4c6580 58 API calls 22758->22853 22852 4c6580 58 API calls 22759->22852 22855 4c6580 58 API calls 22760->22855 22854 4c6580 58 API calls 22761->22854 22770 4c6ee9 22769->22770 22771 4c6902 22769->22771 22774 4c6f03 22770->22774 22866 4c49c0 130 API calls 22770->22866 22771->22772 22771->22773 22771->22775 22771->22777 22771->22785 22772->22743 22773->22772 22779 4c6a55 GetWindowRect 22773->22779 22783 4c702a 22774->22783 22801 4c6fbc 22774->22801 22814 4c6f38 22774->22814 22775->22772 22780 4c696d GetWindowRect GetParent 22775->22780 22776 4c674d 22776->22772 22848 4c01c0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22776->22848 22777->22772 22790 4c6bb4 22777->22790 22791 4c6ba5 22777->22791 22781 4c6a94 22779->22781 22782 4c6a76 22779->22782 22856 541884 66 API calls 22780->22856 22861 54420b SetWindowPos 22781->22861 22860 54420b SetWindowPos 22782->22860 22787 4c7180 22783->22787 22808 4c703f 22783->22808 22862 4c01c0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22785->22862 22787->22814 22869 4ce6c0 70 API calls 22787->22869 22796 4c6d3a 22790->22796 22823 4c6bd9 22790->22823 22863 54425a 22791->22863 22792 4c6990 22797 4c69b0 22792->22797 22857 5440f2 GetWindowLongA 22792->22857 22794 4c6781 22849 4c6580 58 API calls 22794->22849 22827 4c2b40 22796->22827 22859 5441ca MoveWindow 22797->22859 22801->22814 22867 4b19a0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22801->22867 22803 4c7283 IsWindow 22803->22772 22806 4c728e 22803->22806 22804 4c699d 22804->22797 22858 5466be GetWindowLongA ScreenToClient ScreenToClient 22804->22858 22806->22772 22811 4c72a2 22806->22811 22809 4c7076 GetStockObject GetObjectA 22808->22809 22812 4c7065 22808->22812 22809->22812 22870 4c40b0 PeekMessageA 22811->22870 22812->22814 22868 4ce6c0 70 API calls 22812->22868 22814->22772 22814->22803 22818 4c72cf 22819 4c40b0 67 API calls 22818->22819 22821 4c72d6 22819->22821 22820 4c6d21 22820->22772 22822 54425a ShowWindow 22820->22822 22821->22772 22822->22772 22823->22772 22823->22820 22824 4c6c84 IsWindow 22823->22824 22824->22820 22826 4c6c96 22824->22826 22825 4b4d90 SendMessageA 22825->22826 22826->22823 22826->22825 22829 4c2b63 22827->22829 22828 4c2cf1 22828->22772 22829->22828 22830 4c2bad IsWindow 22829->22830 22830->22828 22831 4c2bbe 22830->22831 22832 4c2bc8 22831->22832 22833 4c2be6 22831->22833 22832->22828 22837 54425a ShowWindow 22832->22837 22834 4c2c00 GetParent 22833->22834 22835 4c2caf 22833->22835 22883 541884 66 API calls 22834->22883 22836 4c2ccf 22835->22836 22884 4c2ef0 14 API calls 22835->22884 22836->22828 22876 4c3f70 22836->22876 22840 4c2bdd 22837->22840 22840->22772 22841 4c2c10 22841->22835 22843 4c2c23 IsWindow 22841->22843 22843->22835 22844 4c2c2e 22843->22844 22844->22835 22845 4c2c8e SetWindowPos 22844->22845 22845->22835 22846->22772 22847->22776 22848->22794 22849->22772 22850->22772 22851->22772 22852->22772 22853->22772 22854->22772 22855->22772 22856->22792 22857->22804 22858->22797 22859->22772 22860->22772 22861->22772 22862->22772 22864 544270 22863->22864 22865 544261 ShowWindow 22863->22865 22864->22772 22865->22864 22866->22774 22867->22814 22868->22814 22869->22814 22871 4c40cd 22870->22871 22872 4c40f3 22870->22872 22871->22872 22874 4c40e0 PeekMessageA 22871->22874 22885 544bec 22871->22885 22875 4c4110 110 API calls 22872->22875 22874->22871 22874->22872 22875->22818 22880 4c3f87 22876->22880 22877 4c3f94 PeekMessageA 22877->22880 22878 4c40a5 22878->22828 22879 4c3fbd IsWindow 22879->22880 22880->22877 22880->22878 22880->22879 22881 4c4091 PeekMessageA 22880->22881 22882 4b1b20 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22880->22882 22881->22880 22882->22880 22883->22841 22884->22836 22890 5497e5 22885->22890 22887 544bfd 22887->22871 22891 5497bf 65 API calls 22890->22891 22892 5497ea 22891->22892 22900 549d47 22892->22900 22895 5497bf 22896 549d47 65 API calls 22895->22896 22897 5497ce 22896->22897 22898 5497e4 22897->22898 22924 549ddc 22897->22924 22898->22887 22901 549d50 22900->22901 22902 549d7d TlsGetValue 22900->22902 22904 549d6a 22901->22904 22911 549947 65 API calls 22901->22911 22903 549d90 22902->22903 22907 544bf1 22903->22907 22908 549da3 22903->22908 22912 5499e0 EnterCriticalSection 22904->22912 22906 549d7b 22906->22902 22907->22887 22907->22895 22922 549b4f 65 API calls 22908->22922 22911->22904 22918 5499ff 22912->22918 22913 549ad0 LeaveCriticalSection 22913->22906 22914 549abb 22914->22913 22915 549a4c GlobalHandle GlobalUnlock GlobalReAlloc 22917 549a6e 22915->22917 22916 549a39 GlobalAlloc 22916->22917 22919 549a97 GlobalLock 22917->22919 22920 549a7c GlobalHandle GlobalLock LeaveCriticalSection 22917->22920 22918->22914 22918->22915 22918->22916 22919->22914 22923 53ded1 65 API calls __EH_prolog 22920->22923 22922->22907 22923->22919 22925 549de6 __EH_prolog 22924->22925 22926 549e14 22925->22926 22930 54aa8c 6 API calls 22925->22930 22926->22898 22928 549dfd 22931 54aafc LeaveCriticalSection 22928->22931 22930->22928 22931->22926 23611 10026bd6 25 API calls 23554 532485 32 API calls 23555 100270d8 28 API calls 23556 10026cd8 22 API calls 23614 10026de4 84 API calls 23560 5490bd 65 API calls __EH_prolog 23618 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 23619 100293f0 ??3@YAXPAX 23563 10026ef6 75 API calls 23564 10026cf7 43 API calls 23565 4cceb0 HeapFree

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 486 4c45f0-4c4615 487 4c461b-4c4626 486->487 488 4c46b3-4c46c2 486->488 489 4c4628-4c4632 487->489 490 4c4635-4c4638 487->490 491 4c496f-4c4980 488->491 492 4c46c8-4c46d8 488->492 489->490 493 4c464d 490->493 494 4c463a-4c464b call 52e958 490->494 495 4c46e9-4c4706 call 4b1bf0 492->495 496 4c46da-4c46e4 call 52e958 492->496 499 4c464f-4c4661 GetProcAddress 493->499 494->499 507 4c470c-4c471f call 52f970 495->507 508 4c481f 495->508 496->495 503 4c4696-4c46b0 call 4c45d0 499->503 504 4c4663-4c4691 call 4cdd80 call 4c49c0 call 53fe81 499->504 504->503 521 4c47ea-4c47f1 LoadLibraryA 507->521 522 4c4725-4c4736 507->522 510 4c4824-4c4832 LoadLibraryA 508->510 514 4c486f-4c4878 510->514 515 4c4834-4c4842 GetProcAddress 510->515 514->510 523 4c487a-4c4885 514->523 518 4c485a-4c4864 515->518 519 4c4844-4c484f 515->519 518->523 526 4c4866-4c486d FreeLibrary 518->526 519->518 525 4c4851-4c4857 519->525 521->523 524 4c47f7-4c4805 GetProcAddress 521->524 528 4c4738-4c4756 call 5400ca LoadLibraryA call 53fe81 522->528 529 4c4760-4c47ad call 5400ca * 2 LoadLibraryA call 53fe81 * 2 522->529 530 4c494c-4c494e 523->530 531 4c488b-4c488d 523->531 524->523 535 4c4807-4c4812 524->535 525->518 526->514 528->524 554 4c475c 528->554 529->524 565 4c47af-4c47c0 529->565 533 4c4966-4c496c 530->533 534 4c4950-4c495b 530->534 537 4c488f-4c4890 FreeLibrary 531->537 538 4c4896-4c48a5 call 4b1bf0 531->538 533->491 534->533 541 4c495d-4c4963 534->541 535->523 542 4c4814-4c481d 535->542 537->538 547 4c48fa-4c4949 call 4cdd80 call 4c49c0 call 53fe81 538->547 548 4c48a7-4c48f7 call 4cdd80 call 4c49c0 call 53fe81 538->548 541->533 542->523 554->529 568 4c47e2-4c47e4 565->568 569 4c47c2-4c47dd call 5400ca LoadLibraryA call 53fe81 565->569 568->524 572 4c47e6 568->572 569->568 572->521
                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,007E75F4), ref: 004C4657
                                                    • LoadLibraryA.KERNEL32(?,?,007F7FD8), ref: 004C4747
                                                    • LoadLibraryA.KERNEL32(?,?), ref: 004C478D
                                                    • LoadLibraryA.KERNEL32(?,?,007F7EE0,00000001), ref: 004C47D5
                                                    • LoadLibraryA.KERNEL32(00000001), ref: 004C47EB
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004C47FD
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004C4890
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressProc$Free
                                                    • String ID: z}
                                                    • API String ID: 3120990465-525666401
                                                    • Opcode ID: 28ba6f5a5f4a5de310bd756f26aec77ae490bdf039b557b6098d2d28c867c74a
                                                    • Instruction ID: b24586c34ea4d5a4f17fe2c9cada23a81f7d34b64050b80aa2a0c0419b811f07
                                                    • Opcode Fuzzy Hash: 28ba6f5a5f4a5de310bd756f26aec77ae490bdf039b557b6098d2d28c867c74a
                                                    • Instruction Fuzzy Hash: E4A1D2B9A003429BC354EF64C8A4FABB3A8FFD9314F04462EF81587351D738E9058BA5

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1011 100193c2-10019472 call 1002748d * 3 call 100294c0 1020 10019474-1001947a call 10027487 1011->1020 1021 1001947d-1001949e CopyFileA 1011->1021 1020->1021 1023 100194a0-100194b4 call 10027499 1021->1023 1024 100194b7-100194c3 1021->1024 1023->1024 1027 100194c5 1024->1027 1028 100194ca-100194e9 call 10028d40 1024->1028 1027->1028 1032 100194f4-10019504 1028->1032 1033 100194eb-100194f1 call 10027487 1028->1033 1035 10019506 1032->1035 1036 1001950b-10019525 call 10028000 1032->1036 1033->1032 1035->1036 1040 1001952b-10019539 1036->1040 1041 1001956e-10019586 call 1000241a 1036->1041 1043 10019540-1001955f call 10028d40 1040->1043 1044 1001953b 1040->1044 1047 10019588 1041->1047 1048 1001958d-100195b5 call 10028e50 call 10006495 1041->1048 1051 10019561-10019567 call 10027487 1043->1051 1052 1001956a-1001956b 1043->1052 1044->1043 1047->1048 1058 100195d6 1048->1058 1059 100195bb-100195c9 1048->1059 1051->1052 1052->1041 1061 100195db-100195dd 1058->1061 1059->1058 1060 100195cf-100195d4 1059->1060 1060->1061 1062 100195e3-1001960c RtlAllocateHeap 1061->1062 1063 10019832-10019840 1061->1063 1064 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 1062->1064 1065 1001960e-10019622 call 10027499 1062->1065 1069 10019842-10019848 call 10027487 1063->1069 1070 1001984b-10019850 1063->1070 1097 10019689-10019691 1064->1097 1065->1064 1069->1070 1074 10019852-10019858 call 10027487 1070->1074 1075 1001985b-10019882 call 10027487 * 2 1070->1075 1074->1075 1087 10019895 1075->1087 1088 10019884 1075->1088 1091 1001989b-100198bb call 10027487 * 2 1087->1091 1092 100198bd-100198c9 call 10027487 1087->1092 1090 10019886-1001988a 1088->1090 1094 10019891-10019893 1090->1094 1095 1001988c-1001988f 1090->1095 1091->1092 1094->1087 1095->1090 1100 10019822-1001982d call 100094fb 1097->1100 1101 10019697-100196a5 call 10001000 1097->1101 1100->1063 1108 100196a7-100196bb call 10027499 1101->1108 1109 100196be-100196c2 1101->1109 1108->1109 1111 100196c4-100196d8 call 10027499 1109->1111 1112 100196db-10019736 call 10001b27 call 10001000 1109->1112 1111->1112 1120 10019738-1001974c call 10027499 1112->1120 1121 1001974f-10019753 1112->1121 1120->1121 1122 10019755-10019769 call 10027499 1121->1122 1123 1001976c-100197c7 call 10001b27 call 10001000 1121->1123 1122->1123 1132 100197e0-100197e4 1123->1132 1133 100197c9-100197dd call 10027499 1123->1133 1135 100197e6-100197fa call 10027499 1132->1135 1136 100197fd-1001981d call 10007b67 1132->1136 1133->1132 1135->1136 1136->1097
                                                    APIs
                                                      • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                      • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                      • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                      • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                    • String ID: @
                                                    • API String ID: 183890193-2766056989
                                                    • Opcode ID: 18b586d84286487eb4998f70b0221884ed49b53f03fc69af3a470360e7e03aa0
                                                    • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                    • Opcode Fuzzy Hash: 18b586d84286487eb4998f70b0221884ed49b53f03fc69af3a470360e7e03aa0
                                                    • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1157 1000710e-10007271 call 1002748d * 5 GetVersionExA 1168 10007273-10007287 call 10027499 1157->1168 1169 1000728a-100072e2 call 10027ca0 1157->1169 1168->1169 1174 100072f3-100072f9 1169->1174 1175 100072e4 1169->1175 1177 10007300-1000734b call 10027487 1174->1177 1178 100072fb 1174->1178 1176 100072e6-100072ea 1175->1176 1179 100072f1 1176->1179 1180 100072ec-100072ef 1176->1180 1183 10007351-100073f3 call 1002748d GetSystemInfo 1177->1183 1184 100077ad-100077b2 1177->1184 1178->1177 1179->1174 1180->1176 1189 100073f5-10007409 call 10027499 1183->1189 1190 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 1183->1190 1185 100077b7-100077f1 call 10027487 * 4 1184->1185 1189->1190 1198 100074c6-100074da call 10027499 1190->1198 1199 100074dd-10007520 1190->1199 1198->1199 1202 10007552-10007556 1199->1202 1203 10007526-1000752a 1199->1203 1205 10007630-10007634 1202->1205 1206 1000755c-10007560 1202->1206 1208 10007530-10007534 1203->1208 1209 1000754d 1203->1209 1213 1000778a-1000778e 1205->1213 1214 1000763a-1000763e 1205->1214 1211 10007591-10007595 1206->1211 1212 10007566-10007574 1206->1212 1215 10007546 1208->1215 1216 1000753a-10007541 1208->1216 1218 100077a5-100077a8 1209->1218 1222 100075c6-100075ca 1211->1222 1223 1000759b-100075a9 1211->1223 1219 10007584 1212->1219 1220 1000757a-1000757f 1212->1220 1213->1218 1221 10007794-10007798 1213->1221 1224 10007650-10007654 1214->1224 1225 10007644-1000764b 1214->1225 1215->1209 1216->1209 1218->1185 1226 10007589-1000758c 1219->1226 1220->1226 1221->1218 1227 1000779e 1221->1227 1232 100075d0-100075de 1222->1232 1233 100075fb-100075ff 1222->1233 1228 100075b9 1223->1228 1229 100075af-100075b4 1223->1229 1230 10007785 1224->1230 1231 1000765a-1000766f 1224->1231 1225->1230 1235 1000762b 1226->1235 1227->1218 1236 100075be-100075c1 1228->1236 1229->1236 1230->1218 1244 10007671-10007685 call 10027499 1231->1244 1245 10007688-1000768f 1231->1245 1237 100075e4-100075e9 1232->1237 1238 100075ee 1232->1238 1234 10007605-10007613 1233->1234 1233->1235 1239 10007623 1234->1239 1240 10007619-1000761e 1234->1240 1235->1218 1236->1235 1242 100075f3-100075f6 1237->1242 1238->1242 1243 10007628 1239->1243 1240->1243 1242->1235 1243->1235 1244->1245 1246 100076a1-100076a5 1245->1246 1247 10007695-1000769c 1245->1247 1249 100076c7 1246->1249 1250 100076ab-100076ba 1246->1250 1247->1230 1253 100076cc-100076ce 1249->1253 1250->1249 1252 100076c0-100076c5 1250->1252 1252->1253 1254 100076e0-1000771d call 10028950 1253->1254 1255 100076d4-100076db 1253->1255 1258 10007723-1000772a 1254->1258 1259 1000772f-1000776c call 10028950 1254->1259 1255->1230 1258->1230 1262 10007772-10007779 1259->1262 1263 1000777e 1259->1263 1262->1230 1263->1230
                                                    APIs
                                                    • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                    • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                    • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Version$InfoNumbersSystem
                                                    • String ID:
                                                    • API String ID: 995872648-0
                                                    • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                    • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                    • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                    • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1300 10007fdd-1000801e call 100280c0 1303 10008020-10008026 call 10027487 1300->1303 1304 10008029-10008059 call 1000241a call 10007db8 1300->1304 1303->1304 1311 10008098-1000809d 1304->1311 1312 1000805f-10008063 1304->1312 1313 100080a8-100080ab 1311->1313 1314 1000809f-100080a5 call 10027487 1311->1314 1312->1311 1315 10008069-1000806c 1312->1315 1314->1313 1318 10008075-1000807c 1315->1318 1319 10008095 1318->1319 1320 1000807e-10008092 call 10027499 1318->1320 1319->1311 1320->1319
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID: `+gw
                                                    • API String ID: 3535843008-3399981281
                                                    • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                    • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                    • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                    • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1323 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1329 10018b23-10018b37 call 10027499 1323->1329 1330 10018b3a-10018b5e HeapCreate 1323->1330 1329->1330 1332 10018b60-10018b74 call 10027499 1330->1332 1333 10018b77-10018b8e call 10001000 1330->1333 1332->1333 1339 10018b90-10018ba4 call 10027499 1333->1339 1340 10018ba7-10018bc8 call 1000188f 1333->1340 1339->1340 1345 10018bd3-10018be4 call 1000b61e 1340->1345 1346 10018bca-10018bd0 call 10027487 1340->1346 1351 10018be6-10018bec call 10027487 1345->1351 1352 10018bef-10018c09 call 10001000 1345->1352 1346->1345 1351->1352 1357 10018c22-10018c43 call 1000188f 1352->1357 1358 10018c0b-10018c1f call 10027499 1352->1358 1363 10018c45-10018c4b call 10027487 1357->1363 1364 10018c4e-10018c5f call 1000b61e 1357->1364 1358->1357 1363->1364 1369 10018c61-10018c67 call 10027487 1364->1369 1370 10018c6a-10018c84 call 10001000 1364->1370 1369->1370 1375 10018c86-10018c9a call 10027499 1370->1375 1376 10018c9d-10018cbe call 1000188f 1370->1376 1375->1376 1381 10018cc0-10018cc6 call 10027487 1376->1381 1382 10018cc9-10018cda call 1000b61e 1376->1382 1381->1382 1387 10018ce5-10018cff call 10001000 1382->1387 1388 10018cdc-10018ce2 call 10027487 1382->1388 1393 10018d01-10018d15 call 10027499 1387->1393 1394 10018d18-10018d39 call 1000188f 1387->1394 1388->1387 1393->1394 1399 10018d44-10018d55 call 1000b61e 1394->1399 1400 10018d3b-10018d41 call 10027487 1394->1400 1405 10018d60-10018d7a call 10001000 1399->1405 1406 10018d57-10018d5d call 10027487 1399->1406 1400->1399 1411 10018d93-10018db4 call 1000188f 1405->1411 1412 10018d7c-10018d90 call 10027499 1405->1412 1406->1405 1417 10018db6-10018dbc call 10027487 1411->1417 1418 10018dbf-10018dd0 call 1000b61e 1411->1418 1412->1411 1417->1418 1423 10018dd2-10018dd8 call 10027487 1418->1423 1424 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1418->1424 1423->1424 1441 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1424->1441 1442 10018e4d-10018e53 call 10027487 1424->1442 1451 10018ea5-10018eab call 10027487 1441->1451 1452 10018eae-10018ec2 call 10019f4c 1441->1452 1442->1441 1451->1452 1456 10018ec7-10018ee9 call 1001a236 1452->1456
                                                    APIs
                                                      • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                    • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                      • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Create$Heap$ComputeCrc32Mutex
                                                    • String ID:
                                                    • API String ID: 3311811139-0
                                                    • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                    • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                    • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                    • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1461 4b1250-4b125a 1462 4b126c-4b1272 1461->1462 1463 4b125c-4b1269 call 4b1320 1461->1463 1465 4b127c-4b1288 1462->1465 1466 4b1274-4b1279 1462->1466 1468 4b128a-4b1290 1465->1468 1469 4b12d6-4b12dd 1465->1469 1468->1469 1472 4b1292-4b1298 1468->1472 1470 4b12ea-4b12ff RtlAllocateHeap 1469->1470 1471 4b12df-4b12e5 GetProcessHeap 1469->1471 1473 4b130d-4b1316 1470->1473 1474 4b1301-4b130a 1470->1474 1471->1470 1472->1469 1475 4b129a-4b12d3 call 513f10 1472->1475
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65c0620cca44ce1836006fb26f76a04352bcddd32108ef6c4988ce719da8f37e
                                                    • Instruction ID: 257c5965780043ca074fcd81bf9be300c55a239d83c9bfd71556b5287a9629b6
                                                    • Opcode Fuzzy Hash: 65c0620cca44ce1836006fb26f76a04352bcddd32108ef6c4988ce719da8f37e
                                                    • Instruction Fuzzy Hash: 17214CB67007008FE720CF6AD884A97B7E8EBA0315F50C86FE155C7660E374E814CB68
                                                    APIs
                                                    • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                    • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                    • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                    • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                    • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                    • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                    • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                    • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                    • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                    • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b9d96f711bed1383d031ca0dac88fdae5251d9c53d9bf8816c3aab93586292f5
                                                    • Instruction ID: 23e23e3e0b00616b506ef40b4e7189cf80c6bfefc8b078a348fcbc7d6859dced
                                                    • Opcode Fuzzy Hash: b9d96f711bed1383d031ca0dac88fdae5251d9c53d9bf8816c3aab93586292f5
                                                    • Instruction Fuzzy Hash: 9F31FB70804A0DEBCF01DF95F6C5A9DBBB0FF09300F6180D5E9A46A259CB355A34DB26

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 575 5499e0-5499fd EnterCriticalSection 576 549a0c-549a11 575->576 577 5499ff-549a06 575->577 579 549a13-549a16 576->579 580 549a2e-549a37 576->580 577->576 578 549ac5-549ac8 577->578 581 549ad0-549af1 LeaveCriticalSection 578->581 582 549aca-549acd 578->582 583 549a19-549a1c 579->583 584 549a4c-549a68 GlobalHandle GlobalUnlock GlobalReAlloc 580->584 585 549a39-549a4a GlobalAlloc 580->585 582->581 587 549a26-549a28 583->587 588 549a1e-549a24 583->588 586 549a6e-549a7a 584->586 585->586 589 549a97-549ac4 GlobalLock call 5315f0 586->589 590 549a7c-549a92 GlobalHandle GlobalLock LeaveCriticalSection call 53ded1 586->590 587->578 587->580 588->583 588->587 589->578 590->589
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00826AA0,00826A74,00000000,?,00826A84,00826A84,00549D7B,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96,?,00000000), ref: 005499EF
                                                    • GlobalAlloc.KERNEL32(00002002,00000000,?,?,00826A84,00826A84,00549D7B,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96,?,00000000), ref: 00549A44
                                                    • GlobalHandle.KERNEL32(00BC2788), ref: 00549A4D
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00549A56
                                                    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549A68
                                                    • GlobalHandle.KERNEL32(00BC2788), ref: 00549A7F
                                                    • GlobalLock.KERNEL32(00000000), ref: 00549A86
                                                    • LeaveCriticalSection.KERNEL32(0052DDA8,?,?,00826A84,00826A84,00549D7B,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96,?,00000000), ref: 00549A8C
                                                    • GlobalLock.KERNEL32(00000000), ref: 00549A9B
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00549AE4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                    • String ID:
                                                    • API String ID: 2667261700-0
                                                    • Opcode ID: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                                                    • Instruction ID: 4f8166a8f1f4e6fff3fbf02aa1c08d632a4cb6cf359e0752492905e01ba98f7c
                                                    • Opcode Fuzzy Hash: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                                                    • Instruction Fuzzy Hash: F53194752007069FDB249F25DC9A96BBBE9FB84305F050A2DF456C36A1E771E848CB10

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 728 100294c0-100294cf 729 100294d1-100294e3 GetTempPathA 728->729 730 100294eb-10029511 728->730 731 10029513-1002952c 729->731 732 100294e5-100294e9 729->732 730->731 733 10029531-1002953d 731->733 734 1002952e 731->734 732->731 735 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 733->735 734->733 735->735 736 1002956b-100295b3 call 10027bb0 735->736
                                                    APIs
                                                    • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                    • GetTickCount.KERNEL32 ref: 10029543
                                                    • wsprintfA.USER32 ref: 10029558
                                                    • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Path$CountExistsFileTempTickwsprintf
                                                    • String ID: %s%x.tmp
                                                    • API String ID: 3843276195-78920241
                                                    • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                    • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                    • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                    • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 999 10027bb0-10027bb7 1000 10027bc4-10027bd7 RtlAllocateHeap 999->1000 1001 10027bb9-10027bbf GetProcessHeap 999->1001 1002 10027bf5-10027bf8 1000->1002 1003 10027bd9-10027bf2 MessageBoxA call 10027b10 1000->1003 1001->1000 1003->1002
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                    • RtlAllocateHeap.NTDLL(00BB0000,00000008,?,?,10028674), ref: 10027BCD
                                                    • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocateMessageProcess
                                                    • String ID: error
                                                    • API String ID: 2992861138-1574812785
                                                    • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                    • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                    • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                    • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1006 10028d40-10028d62 CreateFileA 1007 10028d64-10028da8 GetFileSize call 10027bb0 ReadFile CloseHandle 1006->1007 1008 10028da9-10028daa 1006->1008 1007->1008
                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                    • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                      • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                      • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00BB0000,00000008,?,?,10028674), ref: 10027BCD
                                                      • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                    • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                    • String ID:
                                                    • API String ID: 749537981-0
                                                    • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                    • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                    • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                    • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1142 544c01-544c0a call 5497bf 1145 544c0c-544c37 call 549588 GetCurrentThreadId SetWindowsHookExA call 549ddc 1142->1145 1146 544c5f 1142->1146 1150 544c3c-544c42 1145->1150 1151 544c44-544c49 call 5497bf 1150->1151 1152 544c4f-544c5e call 549d47 1150->1152 1151->1152 1152->1146
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00544C14
                                                    • SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 00544C24
                                                      • Part of subcall function 00549DDC: __EH_prolog.LIBCMT ref: 00549DE1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CurrentH_prologHookThreadWindows
                                                    • String ID: V`H
                                                    • API String ID: 2183259885-1425837005
                                                    • Opcode ID: 27b997f6f7179cb0b2779c966f14897fa4399675d54a179ccde032838a98a252
                                                    • Instruction ID: 87dbf15fe9ba73776dd891609e4a4d1bd61d5b6f110f75bd9d376146e84fbf59
                                                    • Opcode Fuzzy Hash: 27b997f6f7179cb0b2779c966f14897fa4399675d54a179ccde032838a98a252
                                                    • Instruction Fuzzy Hash: B4F0EC315803516FCB653B70A90FBDA3E60FF8172DF040214F2119A4E2DA708C858B51

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1264 4c3f70-4c3f83 1265 4c3f87-4c3f8b 1264->1265 1266 4c404f-4c4056 1265->1266 1267 4c3f91 1265->1267 1268 4c405e-4c4067 1266->1268 1269 4c4058-4c405c 1266->1269 1270 4c3f94-4c3fa1 PeekMessageA 1267->1270 1271 4c40a5-4c40ac 1268->1271 1276 4c4069-4c406c 1268->1276 1269->1268 1269->1271 1270->1266 1272 4c3fa7-4c3fb1 1270->1272 1274 4c401b-4c4030 1272->1274 1275 4c3fb3-4c3fba 1272->1275 1283 4c4036-4c403b 1274->1283 1284 4c4032 1274->1284 1277 4c3fbd-4c3fcf IsWindow 1275->1277 1278 4c406e-4c4074 1276->1278 1279 4c4076-4c4083 1276->1279 1281 4c3ffd-4c4010 1277->1281 1282 4c3fd1-4c3ffb call 4b1b20 * 3 1277->1282 1278->1271 1278->1279 1293 4c4085-4c408d 1279->1293 1294 4c4091-4c409e PeekMessageA 1279->1294 1292 4c4013-4c4017 1281->1292 1282->1292 1289 4c403d-4c4043 1283->1289 1290 4c4045-4c4049 1283->1290 1284->1283 1289->1271 1289->1290 1290->1266 1290->1270 1292->1277 1296 4c4019 1292->1296 1293->1294 1294->1266 1297 4c40a0 1294->1297 1296->1274 1297->1265
                                                    APIs
                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C3F99
                                                    • IsWindow.USER32 ref: 004C3FC7
                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C4096
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: MessagePeek$Window
                                                    • String ID:
                                                    • API String ID: 1210580970-0
                                                    • Opcode ID: 8614e92ee3792c5e0f4a1698ca8b3bdd5d9b1a0d60cc895be9ec4b9491304137
                                                    • Instruction ID: e9488843fc5e09c7b8f5aa328d07432363fd9216aacfc801b766d78df0683d1c
                                                    • Opcode Fuzzy Hash: 8614e92ee3792c5e0f4a1698ca8b3bdd5d9b1a0d60cc895be9ec4b9491304137
                                                    • Instruction Fuzzy Hash: A031B174644206AFDB54DF21CA94FABB3A8FF84359F40052EFA1583241D739ED18CBA6

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1478 54a610-54a63b SetErrorMode * 2 call 5497bf * 2 1483 54a65c-54a666 call 5497bf 1478->1483 1484 54a63d-54a657 call 54a673 1478->1484 1488 54a66d-54a670 1483->1488 1489 54a668 call 544c01 1483->1489 1484->1483 1489->1488
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00545EB5,00000000,00000000,00000000,00000000,?,00000000,?,0053D643,00000000,00000000,00000000,00000000,0052DDA8), ref: 0054A619
                                                    • SetErrorMode.KERNEL32(00000000,?,00000000,?,0053D643,00000000,00000000,00000000,00000000,0052DDA8,00000000), ref: 0054A620
                                                      • Part of subcall function 0054A673: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A6A4
                                                      • Part of subcall function 0054A673: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A745
                                                      • Part of subcall function 0054A673: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A772
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                    • String ID:
                                                    • API String ID: 3389432936-0
                                                    • Opcode ID: a950021dbd7f2cff136bb401d917dbb3d2cd5524086a1a0ce42b0edfcb3f18c1
                                                    • Instruction ID: 61290f7f7966688914ff4d8210981358b095b91cde57544b162207b09e7d6391
                                                    • Opcode Fuzzy Hash: a950021dbd7f2cff136bb401d917dbb3d2cd5524086a1a0ce42b0edfcb3f18c1
                                                    • Instruction Fuzzy Hash: B3F037759A42118FD754BF24D449A8A7FE5BF84714F0A848AF4489B3A2CB70D840CF96
                                                    APIs
                                                    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C40C7
                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C40ED
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: MessagePeek
                                                    • String ID:
                                                    • API String ID: 2222842502-0
                                                    • Opcode ID: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                                                    • Instruction ID: 3060bef3242b9e64f1d83d7d4beb61524e2d549d16d15d59f0f09b8f25f1f37b
                                                    • Opcode Fuzzy Hash: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                                                    • Instruction Fuzzy Hash: D9F06535680312AAFA20E6A48D16F5A36587F84B00F64445EB7009B1D5D6B4E4048AAA
                                                    APIs
                                                    • HeapCreate.KERNEL32(00000000,00001000,00000000,0052DD26,00000001), ref: 00533D59
                                                      • Part of subcall function 00533C00: GetVersionExA.KERNEL32 ref: 00533C1F
                                                    • HeapDestroy.KERNEL32 ref: 00533D98
                                                      • Part of subcall function 00537615: HeapAlloc.KERNEL32(00000000,00000140,00533D81,000003F8), ref: 00537622
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocCreateDestroyVersion
                                                    • String ID:
                                                    • API String ID: 2507506473-0
                                                    • Opcode ID: af64821078d90016b58e6de7cd4c4c17b93af33b7c5ffedb6c6ceb7551cc911c
                                                    • Instruction ID: 3005f0fa4dea441b7e9ff5c19e1f18e0758b21afb4d3c8aa1a5068578a6eae4d
                                                    • Opcode Fuzzy Hash: af64821078d90016b58e6de7cd4c4c17b93af33b7c5ffedb6c6ceb7551cc911c
                                                    • Instruction Fuzzy Hash: 90F092706543029FEF342B70AD4A7293F94BF80BC7F208C25F401C91F5EB608681DA02
                                                    APIs
                                                    • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                    • RtlFreeHeap.NTDLL(00BB0000,00000000,00000000), ref: 10027C80
                                                      • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: FreeHandleHeapModuleRead
                                                    • String ID:
                                                    • API String ID: 627478288-0
                                                    • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                    • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                    • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                    • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F6EC
                                                      • Part of subcall function 00536404: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 00536441
                                                      • Part of subcall function 00536404: EnterCriticalSection.KERNEL32(?,?,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 0053645C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                    • String ID:
                                                    • API String ID: 1616793339-0
                                                    • Opcode ID: 07ed0954b32abc0448bb45259bccae278de14bf3fca98205a1815d222d60e768
                                                    • Instruction ID: 305235d5c03fdd056c23329a9631b5a2131395e1c4e749564b40aeab5d033725
                                                    • Opcode Fuzzy Hash: 07ed0954b32abc0448bb45259bccae278de14bf3fca98205a1815d222d60e768
                                                    • Instruction Fuzzy Hash: A221E572A00226ABDB20DB64FD46B9DBB74FF01B64F148235F410EB6E0C774B8418B94
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074), ref: 0052F5B2
                                                      • Part of subcall function 00536404: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 00536441
                                                      • Part of subcall function 00536404: EnterCriticalSection.KERNEL32(?,?,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 0053645C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterFreeHeapInitialize
                                                    • String ID:
                                                    • API String ID: 641406236-0
                                                    • Opcode ID: 2d4f46c75ae90a4aacd3b987706eb7c7185c855123ba77a37b62cfb14d749cad
                                                    • Instruction ID: 460a9c6898f188cd0c45a8af5fa3afcf83775dcb23062754fb9cb7c28b9ee8a2
                                                    • Opcode Fuzzy Hash: 2d4f46c75ae90a4aacd3b987706eb7c7185c855123ba77a37b62cfb14d749cad
                                                    • Instruction Fuzzy Hash: D42186B2901619ABDF259F54FC46B9EBF78FF05721F144139F410A11C1DB349A41CBA1
                                                    APIs
                                                    • LoadStringA.USER32(?,?,?,?), ref: 00545788
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: LoadString
                                                    • String ID:
                                                    • API String ID: 2948472770-0
                                                    • Opcode ID: c1b1d911e08022ae39e4ef26d74cdd36d3da38d948a58a4fd60697d53b6af94b
                                                    • Instruction ID: 316f36bd3042288640475e4a47daf85dc0d20d51f61549422664542fc3b58111
                                                    • Opcode Fuzzy Hash: c1b1d911e08022ae39e4ef26d74cdd36d3da38d948a58a4fd60697d53b6af94b
                                                    • Instruction Fuzzy Hash: A4D0A7721483629BC711DF508808CCFBFA8FF55315B040C0DF88447112D320C404CB61
                                                    APIs
                                                    • ShowWindow.USER32(?,?,004C0C1C,00000000), ref: 00544268
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                                                    • Instruction ID: 65f01fd27c374b06f8fb20ac46830e62d759b84c53379d1c0a00d9b395d2d6fb
                                                    • Opcode Fuzzy Hash: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                                                    • Instruction Fuzzy Hash: 2CD0C935308200EFCF458FA0DA48B5ABBB2BF94709F209968F5468A169D732DC52FF01
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                    • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                    • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                    • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 1001F57C
                                                    • IsIconic.USER32(00000000), ref: 1001F86F
                                                    • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001F8D4
                                                    • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001FE93
                                                    • GetWindowInfo.USER32(00000000,00000000), ref: 1001FFE2
                                                    • GetWindowRect.USER32(00000000,?), ref: 100201EB
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 100205D5
                                                    • CreateDIBSection.GDI32(00000000,00000000,00000000,00000000), ref: 100206C0
                                                    • SelectObject.GDI32(00000000,00000000), ref: 10020798
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 100207D7
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1002086C
                                                    • PrintWindow.USER32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,-00000004), ref: 100208A9
                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 1002091B
                                                    • SelectObject.GDI32(00000000,00000000), ref: 10020ADE
                                                    • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10020CB4
                                                      • Part of subcall function 10028090: _CIfmod.MSVCRT(?,?,?,1000197A,00000002,?,?,80000601,00000000,40140000,80000601,00000000,00000000,00000001), ref: 100280A8
                                                      • Part of subcall function 10002461: HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateObjectSelect$Compatible$AllocBitsHeapIconicIfmodInfoPrintRectSection
                                                    • String ID:
                                                    • API String ID: 3140154463-0
                                                    • Opcode ID: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                    • Instruction ID: ea048d8ca86424f245eedfb131be0975fd1a5b6ab4dedd9bad29979357843bcf
                                                    • Opcode Fuzzy Hash: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                    • Instruction Fuzzy Hash: CB13F3B0A40329DBEF20CF54DCC1B99BBB1FF19314F5440A4E648AB241D775AAA4DF25
                                                    APIs
                                                    • PathFindFileNameA.SHLWAPI(00000000), ref: 100143A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: FileFindNamePath
                                                    • String ID:
                                                    • API String ID: 1422272338-0
                                                    • Opcode ID: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                    • Instruction ID: 6aa6a69dd7cd03d5bb48bed33b8f4d969fd18b6c87b19858859c797241170964
                                                    • Opcode Fuzzy Hash: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                    • Instruction Fuzzy Hash: 6A8276B5E40309ABEB10DFD0DC82F9E77B4EF14741F550025F608BE291EBB2AA558B52
                                                    APIs
                                                    • IsIconic.USER32(?), ref: 004CC59C
                                                    • IsZoomed.USER32(?), ref: 004CC5AA
                                                    • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CC5D4
                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CC5E7
                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CC5F5
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004CC62B
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CC641
                                                    • IsWindow.USER32(?), ref: 004CC66E
                                                    • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC67B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                                                    • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                                                    • API String ID: 447426925-661446951
                                                    • Opcode ID: e3c9081808f3a6c06a94af234ffa932566e37fd4afcceb11e6dd3c0bc71baef1
                                                    • Instruction ID: 0015e01cb62ea38e8a775510f96baccfee101a7d8a3b07d4d0453bf61e3b1b4e
                                                    • Opcode Fuzzy Hash: e3c9081808f3a6c06a94af234ffa932566e37fd4afcceb11e6dd3c0bc71baef1
                                                    • Instruction Fuzzy Hash: 53318075740302AFDB609F65CC99F2B77A8EF94B01F00451DFA15A7290EBB8EC098B65
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 004C51C5
                                                    • IsWindow.USER32(00020458), ref: 004C51E1
                                                    • SendMessageA.USER32(00020458,000083E7,?,00000000), ref: 004C51FA
                                                    • ExitProcess.KERNEL32 ref: 004C520F
                                                    • FreeLibrary.KERNEL32(?), ref: 004C52F3
                                                    • FreeLibrary.KERNEL32 ref: 004C5347
                                                    • DestroyIcon.USER32(00000000), ref: 004C5397
                                                    • DestroyIcon.USER32(00000000), ref: 004C53AE
                                                    • IsWindow.USER32(00020458), ref: 004C53C5
                                                    • DestroyIcon.USER32(?,00000001,00000000,000000FF), ref: 004C5474
                                                    • WSACleanup.WS2_32 ref: 004C54BF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
                                                    • String ID:
                                                    • API String ID: 3816745216-0
                                                    • Opcode ID: f0d9a70cdff0468791dde31c942f17e7789855842212ddbf8e306ee36dae3f7d
                                                    • Instruction ID: f15aa76c9b86a7e4cc96f9be315a982b954b6d3f2b126e6e67abce3de9a3b786
                                                    • Opcode Fuzzy Hash: f0d9a70cdff0468791dde31c942f17e7789855842212ddbf8e306ee36dae3f7d
                                                    • Instruction Fuzzy Hash: 1BB1AB74200B029BC764DF65C8D5FABB7E4BF88305F40452EE99A87391DB34B981CB58
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D459,?), ref: 1000C917
                                                    • InterlockedExchange.KERNEL32(1002D45D,?), ref: 1000C9CE
                                                    • InterlockedExchange.KERNEL32(1002D461,?), ref: 1000CA85
                                                    • InterlockedExchange.KERNEL32(1002D465,?), ref: 1000CB3C
                                                    • InterlockedExchange.KERNEL32(1002D469,?), ref: 1000CBF3
                                                    • InterlockedExchange.KERNEL32(1002D455,?), ref: 1000CCAA
                                                      • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                    • GetWindowThreadProcessId.USER32(1000C613,00000000), ref: 1000CCFD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked$CodeProcessThreadWindow
                                                    • String ID:
                                                    • API String ID: 1323220708-0
                                                    • Opcode ID: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                    • Instruction ID: 2b64659c084c5c153bef61b4d063f84a8c6e811bd728d09e8d095ab07dd3c45c
                                                    • Opcode Fuzzy Hash: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                    • Instruction Fuzzy Hash: AF5308B5E00348ABEF11DFD4DC82FADBBB5EF08344F540029FA04BA296D7B669548B15
                                                    APIs
                                                    • GetWindowRect.USER32(00000001,00000001), ref: 1002140D
                                                    • GetDCEx.USER32(00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100218AD
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 100218DC
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1002195D
                                                    • PrintWindow.USER32(00000001,00000000,00000000), ref: 10021994
                                                    • GetObjectA.GDI32(00000000,00000018,00000000), ref: 10021A33
                                                    • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10021CA1
                                                    • SelectObject.GDI32(00000000,00000000), ref: 100220CA
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 10022153
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Object$SelectWindow$BitsCompatibleCreatePrintRectRelease
                                                    • String ID:
                                                    • API String ID: 2343085801-0
                                                    • Opcode ID: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                    • Instruction ID: af8189180e66b16a91b6480abd6d1d91958fea63da9546105489bf86ff406ccc
                                                    • Opcode Fuzzy Hash: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                    • Instruction Fuzzy Hash: A7A2BCB4E40359ABEF10CF94DC81B9DBBB1FF09304F604064EA09AB295D3B56965CB26
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d8c1d9c2f8039d9eb5a34b6013b20f320de8c7e74760dc6957ac04b0f88dee6
                                                    • Instruction ID: 3bda3cc115c89e86ac3fecebe8c91109b6b7550272e0fe2c6be6b603b68b48b7
                                                    • Opcode Fuzzy Hash: 7d8c1d9c2f8039d9eb5a34b6013b20f320de8c7e74760dc6957ac04b0f88dee6
                                                    • Instruction Fuzzy Hash: 3562D0796083019BC7A4CF25C891F6BB7E5AFC4314F15892EF98A97341DB38E805CB5A
                                                    APIs
                                                    • GetVersionExA.KERNEL32 ref: 00533C1F
                                                    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00533C54
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00533CB4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentFileModuleNameVariableVersion
                                                    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                    • API String ID: 1385375860-4131005785
                                                    • Opcode ID: 9f95769abd9352f71d3c7db14b83ca2b89205ad466b3bad723754e2c654ccc19
                                                    • Instruction ID: 278d88a88197a603e981a8106d5c9fd9624103140aa5df7cb7abcf2f5b99d593
                                                    • Opcode Fuzzy Hash: 9f95769abd9352f71d3c7db14b83ca2b89205ad466b3bad723754e2c654ccc19
                                                    • Instruction Fuzzy Hash: E5314D7194539C6EEB358770AC55BDD3F68BF02740F2418E9E145E9052E6308FD5CB10
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ?$\$\REGISTRY\MACHINE$\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT$\REGISTRY\USER$_Classes
                                                    • API String ID: 0-1655980394
                                                    • Opcode ID: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                    • Instruction ID: cfee4882955295f256346ab5d35a508912345f973a0f1410f6445f43bbb6ad63
                                                    • Opcode Fuzzy Hash: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                    • Instruction Fuzzy Hash: 379124B5E00209EFDF40DFD4DD85BAE7BB8FF18240F604429E60DAA241D7759B849B62
                                                    APIs
                                                    • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: FileUnmapView
                                                    • String ID:
                                                    • API String ID: 2564024751-0
                                                    • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                    • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                    • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                    • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 1001A976
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$Release
                                                    • String ID:
                                                    • API String ID: 3581861777-0
                                                    • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                    • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                    • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                    • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                    APIs
                                                    • GetWindow.USER32(?,00000005), ref: 1001A773
                                                    • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                    • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Window$ProcessThreadVisible
                                                    • String ID:
                                                    • API String ID: 569392824-0
                                                    • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                    • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                    • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                    • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID: ($`+gw
                                                    • API String ID: 3535843008-2241849537
                                                    • Opcode ID: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                    • Instruction ID: acc8f56f01466ae78c1c2cfb7f14f5a9cb3254fd2462285b483ece6b545600e1
                                                    • Opcode Fuzzy Hash: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                    • Instruction Fuzzy Hash: 41220CB5D00219ABEF00DFE4ECC1BAEB775FF18340F504028FA15BA256D776A9608B61
                                                    APIs
                                                    • SystemParametersInfoA.USER32(00000059,00000000,00000000,00000000), ref: 100156E3
                                                    • SystemParametersInfoA.USER32(0000005A,00000000,00000000,00000002), ref: 100158B9
                                                    • UnloadKeyboardLayout.USER32(00000000), ref: 100159A5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: InfoParametersSystem$KeyboardLayoutUnload
                                                    • String ID:
                                                    • API String ID: 1487128349-0
                                                    • Opcode ID: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                    • Instruction ID: 050fea7ffa1bc3994f10f6bed9b27e470259e4e1db6febdaadab7ec0439d0979
                                                    • Opcode Fuzzy Hash: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                    • Instruction Fuzzy Hash: 224245B5E40305EBEB00DF94DCC2FAE77A4EF18355F540025E605BF286E776AA448B62
                                                    APIs
                                                    • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                                                    • NtClose.NTDLL(?), ref: 100141D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CloseMutexRelease
                                                    • String ID: `+gw
                                                    • API String ID: 2985832019-3399981281
                                                    • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                    • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                                                    • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                    • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                                                    APIs
                                                    • lstrlen.KERNEL32(00000000,FFFFFFFF,00000000,?,00000000,00000000,00000001,FFFFFFFF,00000000,?,FFFFFFFF,00000000,?,FFFFFFFF,00000000), ref: 10019B06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: lstrlen
                                                    • String ID: Z$w
                                                    • API String ID: 1659193697-2716038989
                                                    • Opcode ID: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                    • Instruction ID: 282b89e6495933af6440fbbb597b1de90ef5dffa39cee2d72f7ed257570ffe54
                                                    • Opcode Fuzzy Hash: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                    • Instruction Fuzzy Hash: 550202B0D0061CDBEB10DFE1E9897EDBBB4FF48340F2140A4E485BA249DB725AA5CB55
                                                    APIs
                                                    • WindowFromDC.USER32(00000000), ref: 100237BF
                                                    • GetCurrentObject.GDI32(00000000,00000007), ref: 100237FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CurrentFromObjectWindow
                                                    • String ID:
                                                    • API String ID: 1970099965-0
                                                    • Opcode ID: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                    • Instruction ID: 5e3447216257589ac88371f0c3b1c154c22f3bd6e68f106655ab8dd4a69be074
                                                    • Opcode Fuzzy Hash: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                    • Instruction Fuzzy Hash: 9F313770D40308EBDB00DF90D886BADBBB0FB0A751F409065F6087E290E7B19A54DF96
                                                    APIs
                                                    • GetStockObject.GDI32(00000011), ref: 1001ACD1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ObjectStock
                                                    • String ID:
                                                    • API String ID: 3428563643-3916222277
                                                    • Opcode ID: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                    • Instruction ID: b9a15d43875d05f13c7aca3fde3137a0688d1b6e1dffe905ed574dcac1c1d11e
                                                    • Opcode Fuzzy Hash: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                    • Instruction Fuzzy Hash: AE325BB5A402569FEB00CF98DCC1B99BBF4FF29314F580065E546AB342D379B991CB22
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D531,?), ref: 10025544
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID: Thread
                                                    • API String ID: 367298776-915163573
                                                    • Opcode ID: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                    • Instruction ID: e87a296fab3b19ef06520bc3e141919b3527ea124beb15feda4261f24f1e3c13
                                                    • Opcode Fuzzy Hash: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                    • Instruction Fuzzy Hash: 38F116B5E00259ABEF00DFE4EC81BDDBBB5FF08314F640025F605BA241D7B6A9548B65
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D529,?), ref: 10024841
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID: Process
                                                    • API String ID: 367298776-1235230986
                                                    • Opcode ID: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                    • Instruction ID: 84bd04864f9d1e807072be8e5ab147b3cae892089b2f3c2b5496a308401e609c
                                                    • Opcode Fuzzy Hash: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                    • Instruction Fuzzy Hash: 85E104B5E41259ABEF00DFE4EC81B9DBBB5FF08304F640025F605BA241EB75A954CB61
                                                    APIs
                                                    • lstrlen.KERNEL32(00000000,000000FF,00000000,?,00000000,00000000,?,0000009C,00000000,?,?,FFFFFF9C,00000000), ref: 10026700
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: lstrlen
                                                    • String ID: #
                                                    • API String ID: 1659193697-1885708031
                                                    • Opcode ID: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                    • Instruction ID: 30fcd15e93819707c4a405128049bbda1367cf8e2b4a4446b34ba685154cf5d7
                                                    • Opcode Fuzzy Hash: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                    • Instruction Fuzzy Hash: 2232CF70D0061DEBEB10DFD0EC99BADBBB4FF48340F618094E495BA199CB715AB58B14
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10007D8B,00000000), ref: 10007EA0
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,10007D8B,00000000,00000000,00000000,00000000,00000000), ref: 10007F7E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 626452242-0
                                                    • Opcode ID: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                    • Instruction ID: b3f739b553b0eb222627b335ec04950199b8c6fc0fb38b6c76c83e211291c2b2
                                                    • Opcode Fuzzy Hash: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                    • Instruction Fuzzy Hash: 62417C74E0020DFBEB10DFD0EC46BAEBBB4FB08750F204165F618BA195DBB56A608B55
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001368C
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 10013744
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 626452242-0
                                                    • Opcode ID: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                    • Instruction ID: dea56998412ea2cd2e2e07e98f2853e180ac33eb45cb94fa257388ef996dc557
                                                    • Opcode Fuzzy Hash: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                    • Instruction Fuzzy Hash: 543141B5E40309BBEB50DFD49C82FAE7BB4EB04710F108055FA18BE2C1D7B6A6909B55
                                                    APIs
                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,100172C1,00000000,00000000,00000000), ref: 10017D82
                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,100172C1), ref: 10017E29
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID:
                                                    • API String ID: 237503144-0
                                                    • Opcode ID: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                    • Instruction ID: 93bfbce67b494b6763231a081cd11fe6566247fc84b5e7443ef84a885c003b65
                                                    • Opcode Fuzzy Hash: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                    • Instruction Fuzzy Hash: 96313675E00309BBEB51DED49C82FAE7BF4EF08704F104065FA08BB242D772AA509B55
                                                    APIs
                                                    • DispatchMessageA.USER32(1001176C), ref: 100116D4
                                                    • CallWindowProcA.USER32(?,?,?,?), ref: 10011714
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CallDispatchMessageProcWindow
                                                    • String ID:
                                                    • API String ID: 3568206097-0
                                                    • Opcode ID: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                    • Instruction ID: 63bf1ad0f6820a7cfc32d841282287ffa4cda79eab35e4a2f1e5c3704b1abdfe
                                                    • Opcode Fuzzy Hash: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                    • Instruction Fuzzy Hash: AE21C775E40318EBDB00EF94DCC2A9DBBB1FB0D310F5040A5EA08AB351D371AA90DB52
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                    • Instruction ID: 90b3556d9a436454375a3f12806074c3db2d9078b135128fdcdde92096655a79
                                                    • Opcode Fuzzy Hash: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                    • Instruction Fuzzy Hash: 52C2B7B4F40346ABFB11CA94DCC2B9E77B0EB08390F214165F658FA2DAD7B15E408B56
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,?,?,?,100078F7,00000000,00000000,00000000), ref: 10002169
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,100078F7), ref: 1000222A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 626452242-0
                                                    • Opcode ID: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                    • Instruction ID: e83377b6f6ad2707753203cfccfcc485ecbfcdf7635717af9e37d537513bb723
                                                    • Opcode Fuzzy Hash: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                    • Instruction Fuzzy Hash: 29814D75E00209ABEF00DFD4DC86FEEBBB4EF08340F504065FA14BA285D7B5AA548B55
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D519,?), ref: 1001DD15
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                    • Instruction ID: 7a99189caa79d54ac912ebbbba7bdc920c16141239c7c74b934a59564cf638f4
                                                    • Opcode Fuzzy Hash: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                    • Instruction Fuzzy Hash: 2A6238B5E40348ABEB10DF94DC82F9DBBB5FF08344F244025F608BE292E7B5A9558B51
                                                    APIs
                                                    • PathFindFileNameA.SHLWAPI(00000000,?,00000000,00000000,00000000,00000000,0000001C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001C7F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: FileFindNamePath
                                                    • String ID:
                                                    • API String ID: 1422272338-0
                                                    • Opcode ID: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                    • Instruction ID: f98056538ddd495e24e8dfbf0cad4fd33bc614c33abef30b02bddadc29e55c32
                                                    • Opcode Fuzzy Hash: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                    • Instruction Fuzzy Hash: 364240B5A40219ABEB00DF94ECC2F9EB7B4FF5C354F140025EA09BF241E775A9508B66
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D535,?), ref: 10025AFF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                    • Instruction ID: ec57d409bd248faccfe3f0420db7539557fe035a6b0d78d3a35a1a7dfc2ec437
                                                    • Opcode Fuzzy Hash: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                    • Instruction Fuzzy Hash: AC5208B5E00208ABEF01DF94EC82FDDBBB5FF08314F544029F614BA292D7B5A9548B65
                                                    APIs
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1001D53E
                                                      • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CodeLibraryLoad
                                                    • String ID:
                                                    • API String ID: 4269728939-0
                                                    • Opcode ID: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                    • Instruction ID: 8ca3c93d7244418e6012e556740facccd0f38a3c9c4ff1909e44a403dc44f6d3
                                                    • Opcode Fuzzy Hash: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                    • Instruction Fuzzy Hash: BC421AB5E40318AFEF50EF94DC82BDDBBB1FB08740F500125F618BA295D7B6A9808B55
                                                    APIs
                                                      • Part of subcall function 10028720: atoi.MSVCRT(00000000), ref: 1002877E
                                                    • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 1000918C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: MemoryMoveatoi
                                                    • String ID:
                                                    • API String ID: 2867837884-0
                                                    • Opcode ID: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                    • Instruction ID: c625aa631b3fd7664a23ceac8d029317df328e953ac31412f977eb30fe789f83
                                                    • Opcode Fuzzy Hash: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                    • Instruction Fuzzy Hash: 1A023DB5A40216AFFB00DF94DCC1BAEB7A5FF58354F240025E905AB385E7B5B950CB22
                                                    APIs
                                                    • RtlMoveMemory.NTDLL(00000000), ref: 1000665A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: MemoryMove
                                                    • String ID:
                                                    • API String ID: 1951056069-0
                                                    • Opcode ID: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                    • Instruction ID: de403b7ac96d81ad167a5567031b13b093eba99a0845d2f8fdd956dd85fb778c
                                                    • Opcode Fuzzy Hash: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                    • Instruction Fuzzy Hash: 12B151B5A812969BFF00CF58DCC1B95B7E1EF69324B291470E846AF344D378B861DB21
                                                    APIs
                                                    • GetKeyboardLayoutList.USER32(00000040,?,00000000,00000000), ref: 10015BEE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: KeyboardLayoutList
                                                    • String ID:
                                                    • API String ID: 4253248152-0
                                                    • Opcode ID: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                    • Instruction ID: 3f0b898e91331e47705899626b39ccd446a255f5e12301d86a1815f33d743008
                                                    • Opcode Fuzzy Hash: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                    • Instruction Fuzzy Hash: 487158F6E00205AFEB00DFA4ECC2BAE77E5EF58251F540025E609EF341E775A9448B62
                                                    APIs
                                                    • LdrGetProcedureAddress.NTDLL(00000000,00000000,00000000), ref: 10006115
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: AddressProcedure
                                                    • String ID:
                                                    • API String ID: 3653107232-0
                                                    • Opcode ID: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                    • Instruction ID: 78c0987cb7ffc063797d9a6f9d393f2066e6151a443f59dc1fc5ba499ae867df
                                                    • Opcode Fuzzy Hash: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                    • Instruction Fuzzy Hash: 564146B5D40209AFEB00DFD4EC81BAEB7B5FF18314F244065E909AB245D375AA54CB62
                                                    APIs
                                                    • LdrGetDllHandleEx.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 1000B6DF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Handle
                                                    • String ID:
                                                    • API String ID: 2519475695-0
                                                    • Opcode ID: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                    • Instruction ID: f5b1eeb52ae3afd7add8d8d659320dd3d1fa50eb2e7bb74abf840f5972d141ec
                                                    • Opcode Fuzzy Hash: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                    • Instruction Fuzzy Hash: 6B312FF6D40205ABEB40DF94ECC2B9AB7F8FF18314F184065E90DAB341E375A9548B62
                                                    APIs
                                                    • RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ComputeCrc32
                                                    • String ID:
                                                    • API String ID: 660108262-0
                                                    • Opcode ID: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                    • Instruction ID: 885f51156191be290847c32039febb9a430df116088fdaca21ba1fa0fc310e03
                                                    • Opcode Fuzzy Hash: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                    • Instruction Fuzzy Hash: FE3149B5E00309BBEB51DFD49C82FBE77B8EF14740F104068FA18BA242D7B6A6509B51
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000100), ref: 10018935
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: DirectorySystem
                                                    • String ID:
                                                    • API String ID: 2188284642-0
                                                    • Opcode ID: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                    • Instruction ID: ee8817d9cef94c28fb543e8b0ac086dfa591c469ffb5e13cc4bb05c5ca752fcb
                                                    • Opcode Fuzzy Hash: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                    • Instruction Fuzzy Hash: 2F115875E00309BBEB40DEE49C42BAD76A8EB08754F241469F608FB241D771AB809756
                                                    APIs
                                                    • IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Code
                                                    • String ID:
                                                    • API String ID: 3609698214-0
                                                    • Opcode ID: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                    • Instruction ID: e6d0952806afafb3bf167878436ee8aac056beef16ad5c6831721f9da55ad4d1
                                                    • Opcode Fuzzy Hash: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                    • Instruction Fuzzy Hash: E8118B70900209FBEB60DF64CC05BED7BB4EF01390F2041AAED08AA1D4DB729A15DB85
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D4C9,?), ref: 10013C79
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                    • Instruction ID: 374fef4b2e02d52e2e07c0ca9dad6c55ed4794edc6ac8ae58a0c039705d7fb64
                                                    • Opcode Fuzzy Hash: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                    • Instruction Fuzzy Hash: CC0171B5E0020DABDB00FFE09D82BAEBBB9EB04301F404466F50876105EB71EA549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D50D,?), ref: 1001A092
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                    • Instruction ID: cb7720b851b721871b731c706f7cbe3d90cdbd700e2746e4ab45e97b10e25004
                                                    • Opcode Fuzzy Hash: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                    • Instruction Fuzzy Hash: 5C018DB5D00218ABDB11FFD09C82B9E77B8EB09341F804466F50476111D7719B988792
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D51D,00000040), ref: 100228E3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                    • Instruction ID: c1b15002a30057ddc80440081b4ff6bc33ecde6fccf9cd62e387e343abd0d63a
                                                    • Opcode Fuzzy Hash: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                    • Instruction Fuzzy Hash: DF014DB5D0021DFBEB10EFE0AC82B9E7778EB14644F904066F50466151EB719B549B91
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D3FD,08000000), ref: 10006CF7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                    • Instruction ID: 4cade7ef096b15f562c821cb4de08ab4d3fc558eeb9d0de8a70c828ff9c11a3c
                                                    • Opcode Fuzzy Hash: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                    • Instruction Fuzzy Hash: 170175B5E0020DEBEB00EFE0EC82FAE7B79EF04240F504066E51566105D771AB549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D481,00000000), ref: 1000FD11
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                    • Instruction ID: 0aed2d4544eee8039acc50f3c1f3685790efcc1e5774387d789b9b1403c596f7
                                                    • Opcode Fuzzy Hash: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                    • Instruction Fuzzy Hash: 9A0188B5D0430DABEB10FFE09C82FAE7779EB04280F40046BF505A6505DB71AA14EB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D3E1,00000004), ref: 10003177
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                    • Instruction ID: 385097fba51063c84e9e930c69dc2d7aac367372f62906f312b1c310141ed2ce
                                                    • Opcode Fuzzy Hash: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                    • Instruction Fuzzy Hash: 40015275D00208E7EB01EFE09C92BEF7B78EB08280F404066E51566155DB71AA149B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D485,00000000), ref: 1000FDAE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                    • Instruction ID: 3f7b499d2902c1e46d25e5c31060a7ca09a1136a131adf16b63838e7b32e6cd5
                                                    • Opcode Fuzzy Hash: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                    • Instruction Fuzzy Hash: 0B018875D0024CABEB00FFE0DC82EAE7779EB05380F50006AF505A6115DB716A54EB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D43D,?), ref: 10008E04
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                    • Instruction ID: 4c97a0654b066084171f968f8b0ad47121c2de6078470ba5a976a0987d87b010
                                                    • Opcode Fuzzy Hash: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                    • Instruction Fuzzy Hash: EC0175B5D00219E7EB00FFE0EC82BAE7B78FB14240F504466F54566145EB716B549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D40D,00000008), ref: 10007E19
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                    • Instruction ID: 3b8a368ce3914a44cda768e978636fd60f477d925661c7c420499c797e447cb4
                                                    • Opcode Fuzzy Hash: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                    • Instruction Fuzzy Hash: 9B0171B5D00249ABEB00FFE0EC82AAEBB78FB04240F404466E60966115DB75AB549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D441,?), ref: 10008EA1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                    • Instruction ID: 1686f6cdf9a679c1f5c84585fd33387023eb604c586a5dba44084a63d2e43e5f
                                                    • Opcode Fuzzy Hash: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                    • Instruction Fuzzy Hash: 9C0171B5D00359ABEB10FFE0DC82BAEBB78FB04380F400066E64576115EB71AB54CB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                    • Instruction ID: 82e752f980966cf0ba4425328bdbe0b5f15696934bb6f442517d9b0340b204dc
                                                    • Opcode Fuzzy Hash: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                    • Instruction Fuzzy Hash: 510179B5E00209EBEB00FFE09C82AAEB778EB05240F504466F54566145EBB16654DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D521,00000000), ref: 10022AE1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                    • Instruction ID: 1a66ded8f8981fca5c39a2578b95296ca62aec53b1f76630b0cdbd515d7a4f8c
                                                    • Opcode Fuzzy Hash: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                    • Instruction Fuzzy Hash: D60175B5D00308BBDB11EFE0AC82FEEBB78EB14344F400066E90566501E7B56B14DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D4B9,10026CF1), ref: 10011EEA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                    • Instruction ID: ae9516facd56fc145b0b9ba1995b908798816dd09d6beae3d77d7b55205b3fe1
                                                    • Opcode Fuzzy Hash: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                    • Instruction Fuzzy Hash: AF0184B5E0420CABDB00FFE0EC82BEEBBB9EB04244F400466F5056A111DB75EA549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D525,00000000), ref: 10024745
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                    • Instruction ID: 4f30fde94411f2541dcfd4e169ebb1e46575794177a9fc60b21b5106f81313a2
                                                    • Opcode Fuzzy Hash: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                    • Instruction Fuzzy Hash: 1001D8B5D0431CA7DB00FFE0ACC2FAEBB78EB05300F810465E51566101EBB16A14DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D435,?), ref: 10008B88
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                    • Instruction ID: 91e5747cc3fe246938bda6916c84b67a4fdfd623eeedb860250414ba6297eca5
                                                    • Opcode Fuzzy Hash: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                    • Instruction Fuzzy Hash: 7B0171B5D0020DABEB50FFE49C82EAEBBB8FB04240F500466E54466115EB71AB14DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D411,?), ref: 1000839E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                    • Instruction ID: 31dc5b1c38583c82a0824eac09af333b299f07736d69ab93248bda9d1065cdb0
                                                    • Opcode Fuzzy Hash: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                    • Instruction Fuzzy Hash: 390175B5D04308A7EB40FFE09C82AAE7778FB04640F405476F54466145D771AB54CB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D44D,00000000), ref: 1000B3B4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                    • Instruction ID: a0f89ea6e8a02a489adc9b983919e457af64c69ca27a1623b1b8ea733fed46f6
                                                    • Opcode Fuzzy Hash: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                    • Instruction Fuzzy Hash: 5F0184B5D0030CEBEB00FFE0AD92FAEBB78EB04240F504066F50466145DBB1AB54DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D4C5,00000014), ref: 10013804
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                    • Instruction ID: 3d49d6b3b442fbd771079eef3efcaca9525747ce25c9376b7200e1962427cb25
                                                    • Opcode Fuzzy Hash: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                    • Instruction Fuzzy Hash: 420152B5D04309A7EB00FFE09C82AAEB778EF04240F504066F50466151EB75AA54DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D439,?), ref: 10008C25
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                    • Instruction ID: e89bca5dfd4d69b457f6ee300803ba63458d7d33b5f739f05a8734b2afd2cb97
                                                    • Opcode Fuzzy Hash: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                    • Instruction Fuzzy Hash: 4C0171B5D00209ABEB00FFE49CC2EAEBB78FB04240F900466E55566116DB71AB549BA6
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D4D9,?), ref: 10014029
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                    • Instruction ID: 2564c689c805b87f96d1dc3a9772f8e9f463aef008d258d62ef8b45eff4f05b1
                                                    • Opcode Fuzzy Hash: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                    • Instruction Fuzzy Hash: 8E01D875D0030CA7DB11FFE09C82F9E7779EB08300F400026F615A7112DB75EA549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D409,00000001), ref: 10007C2B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                    • Instruction ID: c3b43e173740565f2226f67ccfeaefedf346a2cdf78e56352eac70fc933f1a03
                                                    • Opcode Fuzzy Hash: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                    • Instruction Fuzzy Hash: B0017575D0020CA7FB00FFE09C86F9EBB78FB14340F44446AE61966105E775AA549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D52D,00000000), ref: 10025448
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                    • Instruction ID: 3e1362fdfd7180a89e2653fc66fb6b654d9ba0ea71b3ee1e512a707afa301e7c
                                                    • Opcode Fuzzy Hash: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                    • Instruction Fuzzy Hash: 730188B5D0021CA7DB00FFE0AC82B9EB7B8EB04345F904467F90566111D7B29A549B96
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D451,00000000), ref: 1000B451
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                    • Instruction ID: 8d0e244bf49903d48fd7c686830ea074e98c76a4a96eec9f774984162f9bf409
                                                    • Opcode Fuzzy Hash: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                    • Instruction Fuzzy Hash: BF0148B5D0431DABEB00FFE09C82FAEB778EB14340F904465F50566116EB71AB54DB92
                                                    APIs
                                                    • GetAncestor.USER32(100236B8,00000001,?,?,100236B8), ref: 1002371A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Ancestor
                                                    • String ID:
                                                    • API String ID: 4063365101-0
                                                    • Opcode ID: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                    • Instruction ID: eb8589c6fe16dd3324ac60df81f06840749ea93634a8b87ae7cb4ae9ae9ba44e
                                                    • Opcode Fuzzy Hash: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                    • Instruction Fuzzy Hash: C3F03CB4E44308EBDB10EF90E9467ADFB70EB06741F509065E6047B180E7B25A509A8A
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000001,00000001,00000000,00000000,00000001), ref: 100101C4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                    • Instruction ID: 16cce99742d90ffd21a6e538df0c97e42957f62968f0f4cbc8e65f9f29ad9446
                                                    • Opcode Fuzzy Hash: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                    • Instruction Fuzzy Hash: D8F03970E45208FBDB21EF95DC02BADBB74EB05741F1080A5FA087A180D7B5AB509B95
                                                    APIs
                                                    • ReleaseMutex.KERNEL32(?,1000702C), ref: 1000635D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: MutexRelease
                                                    • String ID:
                                                    • API String ID: 1638419-0
                                                    • Opcode ID: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                    • Instruction ID: 7b3213fa97c1f7abe5e99e727b00606adf76b996470ce0c1231a1946aded7527
                                                    • Opcode Fuzzy Hash: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                    • Instruction Fuzzy Hash: 3AD017B0D45308B7E610AE90EC03B69BA34D706761F105161FA082A190E6B2AB2496DA
                                                    APIs
                                                    • HeapAlloc.KERNEL32(00000008,00000000), ref: 1000F7E5
                                                      • Part of subcall function 1000FA6F: InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: AllocExchangeHeapInterlocked
                                                    • String ID:
                                                    • API String ID: 3051970009-0
                                                    • Opcode ID: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                    • Instruction ID: 8cc4e7238832c14419a96c129bec8d194933ec370394a89dab4d823145446c67
                                                    • Opcode Fuzzy Hash: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                    • Instruction Fuzzy Hash: 51310270D40209FEFB11DFA0CC02BEDBBB5FB04780F208169F614BA194DBB56A54AB55
                                                    APIs
                                                    • HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap
                                                    • String ID:
                                                    • API String ID: 4292702814-0
                                                    • Opcode ID: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                    • Instruction ID: 104a27a5d458cbbbe33f9f96244b29e3d4c33b82fd0089700704125604d1dba2
                                                    • Opcode Fuzzy Hash: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                    • Instruction Fuzzy Hash: BDE08634D85308B7E610EF40DC03F29BA38E702751F508012FA083A090D6B25A649B87
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                    • Instruction ID: b82dc38e16616ddd987b864122364eac5c1fff58b477e30fd6f02d7e5179368c
                                                    • Opcode Fuzzy Hash: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                    • Instruction Fuzzy Hash: 85721AB5E40309ABEB00DF94ECC2FDDBBB5EB0C354F644025F604BA296D7B269548B25
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                    • Instruction ID: 551f598227d6dd39184c223fb6ed838a91ab17f663f6174eca7434abf6d8a969
                                                    • Opcode Fuzzy Hash: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                    • Instruction Fuzzy Hash: 40624CB5E41208BBEF11DFD0EC82BDDBBB5EF08354F204029F604BA291D7B5A9958B14
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                    • Instruction ID: a5955423d14317f839d9afbcb2b9ced9374c1de9beecc9198591da7258e3e5d6
                                                    • Opcode Fuzzy Hash: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                    • Instruction Fuzzy Hash: 5D32F7B1B412529BFB00CF58ECC0B59B7A5EFA9324F290074E946AF341D379B861DB61
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                    • Instruction ID: 3de84c3e889b2c0bc8bcd444dabd38468fbc88aeca599d708b385d83fa676b17
                                                    • Opcode Fuzzy Hash: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                    • Instruction Fuzzy Hash: 8E22F8B2B812529BFB00CB58ECC0B55B7A5EFA5328F290474E9469F341D379F861DB21
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                    • Instruction ID: 2248021ac5db34a560a572e85a1c1eea5c01ad721331a673fc7f7bdbc18de49f
                                                    • Opcode Fuzzy Hash: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                    • Instruction Fuzzy Hash: 90524471D00259CBEB20CFA4D8857DDBBB0FF48344F2180A4D599BB249DB756AA5CF90
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                    • Instruction ID: fa5432d9c06c826fba32fdae05fe74482de4f60f477d8ade94ddac0ef3f6a6e0
                                                    • Opcode Fuzzy Hash: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                    • Instruction Fuzzy Hash: 602215B5E00309AFEF10CF94DC82BEEBBB0FF09354F204025EA14BA296D77569548B65
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                    • Instruction ID: 15cd058cb613ad93b2deb671447fd93daff6b1ebb966e0e7c4ee6c7ed785d811
                                                    • Opcode Fuzzy Hash: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                    • Instruction Fuzzy Hash: BDA160B5E00209ABEB40DEE4DC85FDE7BB8EF08354F144065FA04AA241EB75EB94CB51
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                    • Instruction ID: 14e6b09ccae86c50f75a937e7e6fe01258ff4770b1647dfaac81a6f85d8f69f1
                                                    • Opcode Fuzzy Hash: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                    • Instruction Fuzzy Hash: 7A911EB5E0020AABEF10DF94DC85B9E7BB5EF18344F204025FA14BB281D775EB948B65
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                    • Instruction ID: 03d07b771d78d2ead9be031f4861621435dfbb7e08fb32216ea170559a01278e
                                                    • Opcode Fuzzy Hash: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                    • Instruction Fuzzy Hash: 078123B5E4025AABEF00CF94ECC1B9DBBB4FF19310F640025E549BB245D775A851CB25
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                    • Instruction ID: fa026d6154386471c9ed67b0d764591261ae5350a3fbb2125f892fb7990afb2f
                                                    • Opcode Fuzzy Hash: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                    • Instruction Fuzzy Hash: 7D7135B5E4125AABEF00DFA8ECC1B9DBBB4FF18310F650025E545BB241DB75A851CB21
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect
                                                    • String ID:
                                                    • API String ID: 1517587568-0
                                                    • Opcode ID: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                    • Instruction ID: 38d14c2f8622cd03f50353335eeab2373c5cbc47d148ebdcbde86e05c5d9d7ee
                                                    • Opcode Fuzzy Hash: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                    • Instruction Fuzzy Hash: 4E6134B1E40349ABEB10DFE4DC86FEF76F4EB05704F500425F615BA281D7B6AA848B52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ComputeCrc32CreateMutex
                                                    • String ID:
                                                    • API String ID: 2647859408-0
                                                    • Opcode ID: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                    • Instruction ID: 6e8f39effab6ffe8abe8ce8b2f006d743ef601de1a83054572dbacb1371b805f
                                                    • Opcode Fuzzy Hash: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                    • Instruction Fuzzy Hash: FA611274E40319EBEB00EF91DC87BEEBB71EB05750F200026F6147A191D7B1AA51DB96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                    • Instruction ID: b3edc6188f52fe0267c65f768a9f0694fa0e22adacd15ae2cea2a64ff053d747
                                                    • Opcode Fuzzy Hash: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                    • Instruction Fuzzy Hash: E4512774E40316ABEB10CF94DC96FAE77B4EF04700F604019FA49BE291D7F59A948B92
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                    • Instruction ID: 3ff1e0272834ebdf1ae0fa1b74ff5d017005019b99e03679453d0ba0a45af6fd
                                                    • Opcode Fuzzy Hash: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                    • Instruction Fuzzy Hash: E2512EB5D0021AABEB00DF94DCC1BAE77B4FF18314F140465E508EB301E775AA50CB62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                    • Instruction ID: 740361c2a2a7975ea98c5d6579f5497acae074faf2527958cbce1f24f1a7fcbb
                                                    • Opcode Fuzzy Hash: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                    • Instruction Fuzzy Hash: 84516B75E00209EBEB00CF94DC86FAE77F4EB05344F654055F914BE281E776DA948B62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                    • Instruction ID: 6e2a16805fa032cb188a6ab09911055340e312e86faa01d054a0585f1b90ccec
                                                    • Opcode Fuzzy Hash: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                    • Instruction Fuzzy Hash: 14312270D44609EBEF00EF80DC46BAEBB71EB06355F205169FA043A191D3B64A54DF9A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                    • Instruction ID: fcd9660d6a72fe45eefc1d8f4cbc8b5498bd8d2469cb5e857af72b9432f5bd19
                                                    • Opcode Fuzzy Hash: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                    • Instruction Fuzzy Hash: F3313575E40308AFEB50DF94DC82B9DBBB4EB0C741F504065F608EB745E7B59A409B52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                    • Instruction ID: 0e6d90bd3a1296b327673a782b8a2de37a0e9d786c9d2f722c0ab1c87383cc98
                                                    • Opcode Fuzzy Hash: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                    • Instruction Fuzzy Hash: 69317375E40308AFEB40DF94DC82B9EBBB4EB08340F504075E608EB696E3B56A409B52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                    • Instruction ID: f5bd11c3930f14deff6542fe37b9d91d6d9d9f7f47c674184f68d859604aa839
                                                    • Opcode Fuzzy Hash: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                    • Instruction Fuzzy Hash: 8821F975A04209EFEB41CF90CD82BAE77F8EB05754F244015B908BA181E7B5EAD09B62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                    • Instruction ID: cb764db9af18425858f0870d561dcf750e8236d090e6b6f48ce3485ee4cf3179
                                                    • Opcode Fuzzy Hash: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                    • Instruction Fuzzy Hash: 7E114634845224FBEA11FF90DC42B68BBA1E712345F215067F6042A0B5DBB2ADD6DA42
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                    • Instruction ID: eeae7fc577553641f4f664837c49950aecc16b69e97dd8631aebf4018e73b438
                                                    • Opcode Fuzzy Hash: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                    • Instruction Fuzzy Hash: FA2137B090060AEAFB10DFA0C844BEEBAB8FB05380F204271F990A6198D7349AD5D754
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                    • Instruction ID: ba505964bce734d70dae5fb9ba97fd24188bee46f8c6b217aecce00d80479512
                                                    • Opcode Fuzzy Hash: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                    • Instruction Fuzzy Hash: C9112875D00208FBEF00DF90C84579DBBB0EB05345F508069F908AE290DB759B94DB91
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                    • Instruction ID: 8996d56321af788ecdb48f59df6a7f6deac0e56e76c4d4795bf28b9d59f37b7c
                                                    • Opcode Fuzzy Hash: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                    • Instruction Fuzzy Hash: D3110975D0020DABEB00DFD0DC46BAEBBB8FF04704F104455F914BA190E7B2AB549B91
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                    • Instruction ID: aa05f780bf07b04a9dbad2cba23d858d9fb5007feb3f8ac9aeeac6949bb19c5c
                                                    • Opcode Fuzzy Hash: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                    • Instruction Fuzzy Hash: 07015335980208FBEF11DFA1DD02BDEBB74EB00350F108022BA146E1A0D772DAA0ABC1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                    • Instruction ID: f86e8bef0b9f5b7b48e3b9b3acc0b6cb1fd06cabc4355fe6e2609782588421e0
                                                    • Opcode Fuzzy Hash: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                    • Instruction Fuzzy Hash: B401EC7594020CBEEF11DF80DC42FEDBB79EB09740F108051FA046D091D7B29AA5AB95
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                    • Instruction ID: e7353d8a689e469959c960a5bb5359493e28a0ae3a5db89d5c895ffd79e8d98e
                                                    • Opcode Fuzzy Hash: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                    • Instruction Fuzzy Hash: 64F04970D00208FBEB10DF90CC06BADBFB0EB01341F204065F9007A1A0D7B6AB94DB85
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                    • Instruction ID: 682ee749917f4e023bc7197140f76a097522797ecf20c1f45cbbd45c019d52a4
                                                    • Opcode Fuzzy Hash: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                    • Instruction Fuzzy Hash: 3CF0FE74D44258EBDB14EE90D8057EDBA74E706305F504266EA04AE190D3B18BA4DB96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                    • Instruction ID: 02fc14b9e54e6900d73ffd4e28a19c8708dbe27031dd51c44bf3dba7fdb031ba
                                                    • Opcode Fuzzy Hash: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                    • Instruction Fuzzy Hash: ECF05474A00308FBEB21CF94CD81B9CBBB0EF09300F2080E4FE0467381E6B15A509B51
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                    • Instruction ID: bbfaceb90791bb35eed418166a23c42ee1e6653db07919fbe020635ad9369783
                                                    • Opcode Fuzzy Hash: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                    • Instruction Fuzzy Hash: B9F03975D00218EBDB00EE90D80ABAEBA78EB15301F100465EA086E190D3B59B54DA96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                    • Instruction ID: 33dc01a3c2299a3cd355405e5767cb27c6d7fba89f237eed4e622fd5132f0db0
                                                    • Opcode Fuzzy Hash: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                    • Instruction Fuzzy Hash: 5AE08C34D49308B7D610EF40AC87B28BA35E706701F505056FA043A090E7F2AA649A8A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                    • Instruction ID: 761fadcd4debd2308a54b226b4f8dff580185d7010702b48f65d1b5b1071df53
                                                    • Opcode Fuzzy Hash: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                    • Instruction Fuzzy Hash: 66E08C34D45308B7D610EF50EC43B6CBB34E707700F108056FA083A1A0D7B29E60ABCA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                    • Instruction ID: 1fae9ae4253266a87bc96311d46508b5db8f13d56845d8971887a42445dbbd4a
                                                    • Opcode Fuzzy Hash: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                    • Instruction Fuzzy Hash: 7DD05B70D45218F7DA10EF54AC03B39BB34D707761F205261FB143E1D5D6B25920D5DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                    • Instruction ID: 2a9e0740773b8b6f5e110bd1e2332ab73de667f723c53b2bed2784798aa44a4a
                                                    • Opcode Fuzzy Hash: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                    • Instruction Fuzzy Hash: 90B01232125BD44EC1038309C423B11B7ECE300D48F090090D451C7542C14CF610C494
                                                    APIs
                                                    • GetFocus.USER32 ref: 004C419F
                                                    • GetWindowRect.USER32(?,?), ref: 004C41F6
                                                    • GetParent.USER32(?), ref: 004C4206
                                                    • GetParent.USER32(?), ref: 004C4239
                                                    • GlobalSize.KERNEL32(00000000), ref: 004C4283
                                                    • GlobalLock.KERNEL32(00000000), ref: 004C428B
                                                    • IsWindow.USER32(?), ref: 004C42A4
                                                    • GetTopWindow.USER32(?), ref: 004C42E1
                                                    • GetWindow.USER32(00000000,00000002), ref: 004C42FA
                                                    • SetParent.USER32(?,?), ref: 004C4326
                                                    • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C4371
                                                    • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C4380
                                                    • GetParent.USER32(?), ref: 004C4393
                                                    • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C43AC
                                                    • GetWindowLongA.USER32(?,000000F0), ref: 004C43B4
                                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C43E4
                                                    • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C43F2
                                                    • IsWindow.USER32(?), ref: 004C443E
                                                    • GetFocus.USER32 ref: 004C4448
                                                    • SetFocus.USER32(?,00000000), ref: 004C4460
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004C446B
                                                    • GlobalFree.KERNEL32(00000000), ref: 004C4472
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
                                                    • String ID:
                                                    • API String ID: 300820980-0
                                                    • Opcode ID: 46b89426181f45a75755c81c99bb8c500613f3d8c64b140c0b6aaa8104dafc62
                                                    • Instruction ID: eee55fcfe739283037b7b4a46e7c6d5d14d25edaadbf54a0075943387bb208a0
                                                    • Opcode Fuzzy Hash: 46b89426181f45a75755c81c99bb8c500613f3d8c64b140c0b6aaa8104dafc62
                                                    • Instruction Fuzzy Hash: D9A16975204301AFD764EF65CDA9F6BB7E8BBC8700F104A1DFA4187291DB78E8058B69
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(?,00000001,?,00000001,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C4E74
                                                    • LoadLibraryA.KERNEL32(?,00000001,00000000,00000001,?,?,007D7D3C,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C4EB1
                                                    • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 004C4EE7
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C4EF2
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C4F00
                                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004C500D
                                                    • RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004C5042
                                                    • CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C5107
                                                    • UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 004C5123
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Library$LoadType$FreeRegister$AddressFromProcString
                                                    • String ID: DllRegisterServer$DllUnregisterServer
                                                    • API String ID: 2476498075-2931954178
                                                    • Opcode ID: 6adeebc547e412af5974387c37d682d3867ff6c3c98371791d9c2174c9422a7a
                                                    • Instruction ID: f879303977d6079e9c16ba7d4398c68262d7366ee29809511d77d6ab517eca64
                                                    • Opcode Fuzzy Hash: 6adeebc547e412af5974387c37d682d3867ff6c3c98371791d9c2174c9422a7a
                                                    • Instruction Fuzzy Hash: 71B1D47590020A9BDB54EFA4D855FEEB7B8FF84314F14452EF815A7281DB38AA05C7A0
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                    • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                    • wsprintfA.USER32 ref: 10029676
                                                    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                      • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                    • atoi.MSVCRT(?), ref: 100296CB
                                                    • strchr.MSVCRT ref: 10029703
                                                    • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                    • wsprintfA.USER32 ref: 10029739
                                                    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                    • String ID: DLL ERROR
                                                    • API String ID: 3187504500-4092134112
                                                    • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                    • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                    • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                    • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                    APIs
                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                    • strrchr.MSVCRT ref: 10028EC7
                                                    • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                    • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                    • String ID:
                                                    • API String ID: 1380196384-0
                                                    • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                    • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                    • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                    • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00533F02,?,Microsoft Visual C++ Runtime Library,00012010,?,007C811C,?,007C816C,?,?,?,Runtime Error!Program: ), ref: 0053B597
                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053B5AF
                                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053B5C0
                                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053B5CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                    • API String ID: 2238633743-4044615076
                                                    • Opcode ID: 622007e229e6de29b49272a81b016c1c15e1e5f609875a5fbb962a915c1716da
                                                    • Instruction ID: 071fcfafa0a033612b982c627b67dd04f74153fa4fababe1b18bf703a0cb7a2d
                                                    • Opcode Fuzzy Hash: 622007e229e6de29b49272a81b016c1c15e1e5f609875a5fbb962a915c1716da
                                                    • Instruction Fuzzy Hash: 40018F71708312AFAB609FB69CC1E2B7FE8BF98781B44042DB600C2121EF74C8569B61
                                                    APIs
                                                    • LCMapStringW.KERNEL32(00000000,00000100,007C83AC,00000001,00000000,00000000,774CE860,0082AD44,?,?,?,0052FA7D,?,?,?,00000000), ref: 00537346
                                                    • LCMapStringA.KERNEL32(00000000,00000100,007C83A8,00000001,00000000,00000000,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 00537362
                                                    • LCMapStringA.KERNEL32(?,?,?,0052FA7D,?,?,774CE860,0082AD44,?,?,?,0052FA7D,?,?,?,00000000), ref: 005373AB
                                                    • MultiByteToWideChar.KERNEL32(?,0082AD45,?,0052FA7D,00000000,00000000,774CE860,0082AD44,?,?,?,0052FA7D,?,?,?,00000000), ref: 005373E3
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052FA7D,?,00000000,?,?,0052FA7D,?), ref: 0053743B
                                                    • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052FA7D,?), ref: 00537451
                                                    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052FA7D,?), ref: 00537484
                                                    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052FA7D,?), ref: 005374EC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: String$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 352835431-0
                                                    • Opcode ID: 2aa0bd5e8976dd3b9e80f14c98e7c3505457ed7652ed3d07ccf2b721b36bc0d1
                                                    • Instruction ID: 62fae1f15539beb132fa46e7204c2e738844253d874c220e184594050162425a
                                                    • Opcode Fuzzy Hash: 2aa0bd5e8976dd3b9e80f14c98e7c3505457ed7652ed3d07ccf2b721b36bc0d1
                                                    • Instruction Fuzzy Hash: A15157B2904249EBCF328F94DC45EAE7FB5FB49B50F208519F914A21A0D3329D21EB61
                                                    APIs
                                                    • CreatePopupMenu.USER32 ref: 004D181E
                                                    • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1981
                                                    • AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D19B9
                                                    • ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D19D7
                                                    • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1A35
                                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1A5A
                                                    • AppendMenuA.USER32(?,?,?,?), ref: 004D1AA2
                                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1AC7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Menu$Append$Modify$CreatePopup
                                                    • String ID:
                                                    • API String ID: 3846898120-0
                                                    • Opcode ID: 13f1f039540170faaef556ca445c7dd93ff42fe2ca284cba7cd11bebd8839f9a
                                                    • Instruction ID: 111db03df7f68586d0e0b397c169245ffb3322b08ad4745d6c47b00accc605c8
                                                    • Opcode Fuzzy Hash: 13f1f039540170faaef556ca445c7dd93ff42fe2ca284cba7cd11bebd8839f9a
                                                    • Instruction Fuzzy Hash: C5D199B1A043019BC714DF18C8A0A6BBBE4FF89714F04492EFD8597361E738AC55CBA6
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00533E4B
                                                    • GetStdHandle.KERNEL32(000000F4,007C811C,00000000,00000000,00000000,?), ref: 00533F21
                                                    • WriteFile.KERNEL32(00000000), ref: 00533F28
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: File$HandleModuleNameWrite
                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                    • API String ID: 3784150691-4022980321
                                                    • Opcode ID: 879655f65fdb79e975c8d4631d7da7743f513fcb6bbfcc6986f75a5ef71bfadf
                                                    • Instruction ID: e27705f62a4417797f3c9bc5d2066a6bc54f24861cbd5154891db5b2c6f3cbe5
                                                    • Opcode Fuzzy Hash: 879655f65fdb79e975c8d4631d7da7743f513fcb6bbfcc6986f75a5ef71bfadf
                                                    • Instruction Fuzzy Hash: 5231EBB2A002196FDF20D7A0CC4AF9A7BBDFF89344F54056EF545D6090EA74EA41CB52
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %I64d$%lf
                                                    • API String ID: 0-1545097854
                                                    • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                    • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                    • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                    • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052DD5E), ref: 00533832
                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052DD5E), ref: 00533846
                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052DD5E), ref: 00533872
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052DD5E), ref: 005338AA
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052DD5E), ref: 005338CC
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052DD5E), ref: 005338E5
                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052DD5E), ref: 005338F8
                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00533936
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                    • String ID:
                                                    • API String ID: 1823725401-0
                                                    • Opcode ID: f19ae5f9a3fbe3512efa9db327dc7646042d9936f9feb6be10b92de45f0a7045
                                                    • Instruction ID: c403c02f281551305f95d4b8597e05b9ddc65d74ac2634dd4fdfd899de641ce3
                                                    • Opcode Fuzzy Hash: f19ae5f9a3fbe3512efa9db327dc7646042d9936f9feb6be10b92de45f0a7045
                                                    • Instruction Fuzzy Hash: DB3108B3505255AFDB307F74AC8893BFF9CFB45758F120839F555C3140E6618E8492A1
                                                    APIs
                                                    • IsWindow.USER32(?), ref: 004C093D
                                                    • GetParent.USER32(?), ref: 004C094F
                                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C0977
                                                    • GetWindowRect.USER32(?,?), ref: 004C0A01
                                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0A24
                                                    • GetWindowRect.USER32(?,?), ref: 004C0BEC
                                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0C0D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Rect$Window$Invalidate$MessageParentSend
                                                    • String ID:
                                                    • API String ID: 236041146-0
                                                    • Opcode ID: 1905557a3942eebccb37f757c4b203deab9c8b6e52ba5a1d26c9cb08863c26b6
                                                    • Instruction ID: 2f00159bdabb5332b51ba01a9afd354a7c3584283ff38d8a2ea3e0d8566b119f
                                                    • Opcode Fuzzy Hash: 1905557a3942eebccb37f757c4b203deab9c8b6e52ba5a1d26c9cb08863c26b6
                                                    • Instruction Fuzzy Hash: 60913539640305DBC764EF24C855F6B77E8AF84348F040A1DFA059B392EB38ED518B99
                                                    APIs
                                                    • GetStringTypeW.KERNEL32(00000001,007C83AC,00000001,?,774CE860,0082AD44,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 0053AB17
                                                    • GetStringTypeA.KERNEL32(00000000,00000001,007C83A8,00000001,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 0053AB31
                                                    • GetStringTypeA.KERNEL32(?,?,?,?,0052FA7D,774CE860,0082AD44,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 0053AB65
                                                    • MultiByteToWideChar.KERNEL32(?,0082AD45,?,?,00000000,00000000,774CE860,0082AD44,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 0053AB9D
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052FA7D,?), ref: 0053ABF3
                                                    • GetStringTypeW.KERNEL32(?,?,00000000,0052FA7D,?,?,?,?,?,?,0052FA7D,?), ref: 0053AC05
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: StringType$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 3852931651-0
                                                    • Opcode ID: 6d6b4a2ce7f169295a1a08b7535c16b051d85e1e5cac94b4d84f7a2a99d6ca35
                                                    • Instruction ID: 996d888e664b4ac94350e061c3d5dd9027f8e9b676f115ff5715824726052586
                                                    • Opcode Fuzzy Hash: 6d6b4a2ce7f169295a1a08b7535c16b051d85e1e5cac94b4d84f7a2a99d6ca35
                                                    • Instruction Fuzzy Hash: 55418772600259AFCF218F94DC95EAFBFB9FB08750F104929F912E6190D3348D55DBA2
                                                    APIs
                                                    • TlsGetValue.KERNEL32(00826A84,00826A74,00000000,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549B5A
                                                    • EnterCriticalSection.KERNEL32(00826AA0,00000010,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549BA9
                                                    • LeaveCriticalSection.KERNEL32(00826AA0,00000000,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549BBC
                                                    • LocalAlloc.KERNEL32(00000000,00000004,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549BD2
                                                    • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549BE4
                                                    • TlsSetValue.KERNEL32(00826A84,00000000), ref: 00549C20
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                    • String ID:
                                                    • API String ID: 4117633390-0
                                                    • Opcode ID: 754bca5f0696e3d18161de676f4919457c2e56cbba83f33707a24c51e94439a4
                                                    • Instruction ID: ba22b42dcb3377453c38c0ffd79f2f0f1838f6b0e2b836916128efd038229513
                                                    • Opcode Fuzzy Hash: 754bca5f0696e3d18161de676f4919457c2e56cbba83f33707a24c51e94439a4
                                                    • Instruction Fuzzy Hash: 65318E75100605EFD724CF29D89AFABBBF8FB85365F008519E416C7690DB70E909CB61
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A6A4
                                                      • Part of subcall function 0054A790: lstrlenA.KERNEL32(00000104,00000000,?,0054A6D4), ref: 0054A7C7
                                                    • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A745
                                                    • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A772
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                    • String ID: .HLP$.INI
                                                    • API String ID: 2421895198-3011182340
                                                    • Opcode ID: 934e9710f68d2f6034acb6a46ef242405537d4f67aa3d758049f00ed67a0a07e
                                                    • Instruction ID: 2d6db66258d15209581f3b0e9e50ec6436576fd4dcd740784245c849db600835
                                                    • Opcode Fuzzy Hash: 934e9710f68d2f6034acb6a46ef242405537d4f67aa3d758049f00ed67a0a07e
                                                    • Instruction Fuzzy Hash: FB3161B5804719AFDB21DB71D889BCABBFCFB04314F10896AE19AD3151DB70A984CF50
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2aa2cf0fddded433b96ca4bf7f29a059dfc3f445e8cf56c4c6c3a4891dd444a8
                                                    • Instruction ID: 0dfdc10983a6c348cd8601549634f0a7af1ac2cfccf118618dca00eacfac68db
                                                    • Opcode Fuzzy Hash: 2aa2cf0fddded433b96ca4bf7f29a059dfc3f445e8cf56c4c6c3a4891dd444a8
                                                    • Instruction Fuzzy Hash: 9AC1D1B55046029FC354DF24C881E6FB7E8EF85348F40492EF84697311E738F9568BAA
                                                    APIs
                                                    • GetStartupInfoA.KERNEL32(?), ref: 005339A7
                                                    • GetFileType.KERNEL32(?,?,00000000), ref: 00533A52
                                                    • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00533AB5
                                                    • GetFileType.KERNEL32(00000000,?,00000000), ref: 00533AC3
                                                    • SetHandleCount.KERNEL32 ref: 00533AFA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: FileHandleType$CountInfoStartup
                                                    • String ID:
                                                    • API String ID: 1710529072-0
                                                    • Opcode ID: 5afd03eaf5180e3da9c64babe44a70311b61fd813ac5bf2d202dd11df9032c78
                                                    • Instruction ID: 0ebe18ed94dea9f85b8a2fb03602b80aaa53bb3286cc19875e65a2f4274f6043
                                                    • Opcode Fuzzy Hash: 5afd03eaf5180e3da9c64babe44a70311b61fd813ac5bf2d202dd11df9032c78
                                                    • Instruction Fuzzy Hash: 755100326042418FC724CBA8D898B297FE0BF11328F29876DD5E2CB2E1D731DA4AD751
                                                    APIs
                                                    • midiStreamStop.WINMM(?,00000000,-000001A5,00000000,004D668A,00000000,007F7E08,004CC866), ref: 004D6B55
                                                    • midiOutReset.WINMM(?), ref: 004D6B73
                                                    • WaitForSingleObject.KERNEL32(?,000007D0), ref: 004D6B96
                                                    • midiStreamClose.WINMM(?), ref: 004D6BD3
                                                    • midiStreamClose.WINMM(?), ref: 004D6C07
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: midi$Stream$Close$ObjectResetSingleStopWait
                                                    • String ID:
                                                    • API String ID: 3142198506-0
                                                    • Opcode ID: 3c4d720d9cfef02ab93a990280a3187c80fd643b3b50966c0ec4732648aa1d48
                                                    • Instruction ID: 494dbcfcea3e29fcd54aa18dd12a2cf7bcef8ec0c9493c69dceec5b57c263412
                                                    • Opcode Fuzzy Hash: 3c4d720d9cfef02ab93a990280a3187c80fd643b3b50966c0ec4732648aa1d48
                                                    • Instruction Fuzzy Hash: FF314EB27107108FCB309F65D4A855BB7E6FB94705B154A2FE186C7740C778E8458B98
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Menu$Destroy$AcceleratorTableWindow
                                                    • String ID:
                                                    • API String ID: 1240299919-0
                                                    • Opcode ID: a453dbb0a03fb2ba0bf42701061a99a4b7668b13f71f9c2a0d727f225ddbe076
                                                    • Instruction ID: eb9900aa392927543486c1a4294f30ab9c6eebde899933ad1c642b2fcc2b6803
                                                    • Opcode Fuzzy Hash: a453dbb0a03fb2ba0bf42701061a99a4b7668b13f71f9c2a0d727f225ddbe076
                                                    • Instruction Fuzzy Hash: 1631B575600302AFC760EF65DC55E6B77A8EF84358F02491EBD0587252EA38E819CBB5
                                                    APIs
                                                    • GetLastError.KERNEL32(00000103,7FFFFFFF,00530072,00532987,00000000,?,?,00000000,00000001), ref: 00533B6E
                                                    • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00533B7C
                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533BC8
                                                      • Part of subcall function 00530466: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 0053055C
                                                    • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533BA0
                                                    • GetCurrentThreadId.KERNEL32 ref: 00533BB1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                    • String ID:
                                                    • API String ID: 2020098873-0
                                                    • Opcode ID: 1b3246f9203ee21eaea1139859eadd0f918b7d58f80477f6ee76527ff33b0f32
                                                    • Instruction ID: 1441587e76b6e3f483d6257c627f49a4bb1556efc0d1855809526b0c0a7c943b
                                                    • Opcode Fuzzy Hash: 1b3246f9203ee21eaea1139859eadd0f918b7d58f80477f6ee76527ff33b0f32
                                                    • Instruction Fuzzy Hash: BCF024325017226FDB712BB4BC2EA2A7F24FF81772F204214F985965E0CF208945E6A1
                                                    APIs
                                                    • wsprintfA.USER32 ref: 10027B78
                                                    • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Messagewsprintf
                                                    • String ID: error$program internal error number is %d. %s
                                                    • API String ID: 300413163-3752934751
                                                    • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                    • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                    • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                    • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                    APIs
                                                    • HeapAlloc.KERNEL32(00000000,00002020,007E8DD0,007E8DD0,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000), ref: 0053817D
                                                    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000), ref: 005381A1
                                                    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000), ref: 005381BB
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000,?), ref: 0053827C
                                                    • HeapFree.KERNEL32(00000000,00000000,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000,?,00000000), ref: 00538293
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual$FreeHeap
                                                    • String ID:
                                                    • API String ID: 714016831-0
                                                    • Opcode ID: 3ce96c963973c6c491e1c37a7f8fd04290ce82f03aff29db640c4dd65cd629f2
                                                    • Instruction ID: 06c1d5da3c976ec4e0626ab63f977aa8b69d3ccbb528f452e19806e75a43e774
                                                    • Opcode Fuzzy Hash: 3ce96c963973c6c491e1c37a7f8fd04290ce82f03aff29db640c4dd65cd629f2
                                                    • Instruction Fuzzy Hash: F13102B5601B059BD375CF24EC44B32BBA4FB98755F108A39F1599B2D0EF74A804CB49
                                                    APIs
                                                    • midiStreamOpen.WINMM(-00000189,-00000161,00000001,004D7AC0,-000001A5,00030000,?,-000001A5,?,00000000), ref: 004D74AB
                                                    • midiStreamProperty.WINMM ref: 004D7592
                                                    • midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,-000001A5,?,00000000), ref: 004D76E0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: midi$Stream$HeaderOpenPrepareProperty
                                                    • String ID:
                                                    • API String ID: 2061886437-0
                                                    • Opcode ID: de51f04f3560eb73535e38426b5b19a00dfeedf827f36c0325c63de2bc599217
                                                    • Instruction ID: 3c51bf6f4c941761f64e271259f7b3a9cfe07da2815d5d1e2edd173bce017210
                                                    • Opcode Fuzzy Hash: de51f04f3560eb73535e38426b5b19a00dfeedf827f36c0325c63de2bc599217
                                                    • Instruction Fuzzy Hash: 13A16C716006069FD724DF28D8A0BAAB7F6FB84304F50892EE686C7751EB35F919CB41
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 004C2BB4
                                                    • GetParent.USER32(00000000), ref: 004C2C04
                                                    • IsWindow.USER32(?), ref: 004C2C24
                                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C2C9F
                                                      • Part of subcall function 0054425A: ShowWindow.USER32(?,?,004C0C1C,00000000), ref: 00544268
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Window$ParentShow
                                                    • String ID:
                                                    • API String ID: 2052805569-0
                                                    • Opcode ID: 4d912f72f0b78821a8b226315d8a2e75bb1a573efdeaf9a9c98d1435f7f1b5b6
                                                    • Instruction ID: 10c51ffc0da54946e3fd3f4599a63a72d769e843af6fe3df358bb9ff77c66004
                                                    • Opcode Fuzzy Hash: 4d912f72f0b78821a8b226315d8a2e75bb1a573efdeaf9a9c98d1435f7f1b5b6
                                                    • Instruction Fuzzy Hash: B341CF3A640301ABD3A0DF648D81FAB73A4AF84744F04092EFD059B381D7B8ED198BA5
                                                    APIs
                                                    • malloc.MSVCRT ref: 10029FB3
                                                    • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                    • free.MSVCRT ref: 10029FF6
                                                    • free.MSVCRT ref: 1002A014
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: free$Stringmalloc
                                                    • String ID:
                                                    • API String ID: 3576809655-0
                                                    • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                    • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                    • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                    • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                    APIs
                                                    • GetVersion.KERNEL32 ref: 0052DCEE
                                                      • Part of subcall function 00533D48: HeapCreate.KERNEL32(00000000,00001000,00000000,0052DD26,00000001), ref: 00533D59
                                                      • Part of subcall function 00533D48: HeapDestroy.KERNEL32 ref: 00533D98
                                                    • GetCommandLineA.KERNEL32 ref: 0052DD4E
                                                    • GetStartupInfoA.KERNEL32(?), ref: 0052DD79
                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052DD9C
                                                      • Part of subcall function 0052DDF5: ExitProcess.KERNEL32 ref: 0052DE12
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                    • String ID:
                                                    • API String ID: 2057626494-0
                                                    • Opcode ID: 1475535c73c022e74915814cf63dc9b808203f217e1999df7d1b595b78170068
                                                    • Instruction ID: ee3187928c1648431fd964acb6c06c415bf5fcb7039583af7cbc81ed443b52c9
                                                    • Opcode Fuzzy Hash: 1475535c73c022e74915814cf63dc9b808203f217e1999df7d1b595b78170068
                                                    • Instruction Fuzzy Hash: 0821D3B5C00B16AFDB18AFB4EC5AA6E7FB8FF85710F104519F4019A2E1EB748940CB60
                                                    APIs
                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                    • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                    • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2741369071.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CloseFileHandle$CreateWrite
                                                    • String ID:
                                                    • API String ID: 3602564925-0
                                                    • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                    • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                    • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                    • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                    APIs
                                                    • GetCPInfo.KERNEL32(?,00000000), ref: 00532ED3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID: $
                                                    • API String ID: 1807457897-3032137957
                                                    • Opcode ID: 2e95727dd0e528df017d152471ea42e044b627637fcf8a6e00a49f2ce7b6f4bb
                                                    • Instruction ID: 9e1ab9eb464e599e61d80dfa270006c205e372ca0238d1b656ec671ccbb856e8
                                                    • Opcode Fuzzy Hash: 2e95727dd0e528df017d152471ea42e044b627637fcf8a6e00a49f2ce7b6f4bb
                                                    • Instruction Fuzzy Hash: 5A4146711042981FDB2A8764DD5ABFB3FA9BF05700F1404E4E689CB1A3C2754A49DBA3
                                                    APIs
                                                    • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00537A82,00000000,00000000,00000000,0052F653,00000000,00000000,?,00000000,00000000,00000000), ref: 00537CE2
                                                    • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00537A82,00000000,00000000,00000000,0052F653,00000000,00000000,?,00000000,00000000,00000000), ref: 00537D16
                                                    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00537D30
                                                    • HeapFree.KERNEL32(00000000,?), ref: 00537D47
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap$FreeVirtual
                                                    • String ID:
                                                    • API String ID: 3499195154-0
                                                    • Opcode ID: 68e480b001c8b44312a353283861990205e347b7861986f038a0b67136470cf7
                                                    • Instruction ID: 66d0b49e49624abc5b9273e5e116d619d7244cec2c55ad6d1650bcb7f13317dd
                                                    • Opcode Fuzzy Hash: 68e480b001c8b44312a353283861990205e347b7861986f038a0b67136470cf7
                                                    • Instruction Fuzzy Hash: 92118C702403449FC7358F18EC859267BB6FF84722B108A19F152D69B0C772A847DF01
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00826C38,?,00000000,?,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA), ref: 0054AAC7
                                                    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA), ref: 0054AAD9
                                                    • LeaveCriticalSection.KERNEL32(00826C38,?,00000000,?,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA), ref: 0054AAE2
                                                    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA,00544BF1), ref: 0054AAF4
                                                      • Part of subcall function 0054A9F9: GetVersion.KERNEL32(?,0054AA9C,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA,00544BF1,00545E96), ref: 0054AA0C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                    • String ID:
                                                    • API String ID: 1193629340-0
                                                    • Opcode ID: 37008a4ce4adb6a59c32bdeff23902bfbd5156891adffd5d6724f40e3bce946c
                                                    • Instruction ID: 354e64508f78fadda31e78776eff901bcd455cec5889c7a137d548fcf142efeb
                                                    • Opcode Fuzzy Hash: 37008a4ce4adb6a59c32bdeff23902bfbd5156891adffd5d6724f40e3bce946c
                                                    • Instruction Fuzzy Hash: 56F0C23554131BDFCB20EF95EC98996B76CFB3031BB00443AE241C3061E731A46ACAA1
                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(?,00533B0B,?,0052DD38), ref: 005363E8
                                                    • InitializeCriticalSection.KERNEL32(?,00533B0B,?,0052DD38), ref: 005363F0
                                                    • InitializeCriticalSection.KERNEL32(?,00533B0B,?,0052DD38), ref: 005363F8
                                                    • InitializeCriticalSection.KERNEL32(?,00533B0B,?,0052DD38), ref: 00536400
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2737545494.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2737517789.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737668369.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737943824.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737968983.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2737991632.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738012973.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738034729.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738056938.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738083200.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738103748.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2738201212.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CriticalInitializeSection
                                                    • String ID:
                                                    • API String ID: 32694325-0
                                                    • Opcode ID: 275d700e53cd2a23dd95af7c94858fad77d263ba473a30024a1a2df793c9ebad
                                                    • Instruction ID: 528ba9adfb9f6fb68ae23038595a66ad50901980f4aff4f9771c8355d6a134df
                                                    • Opcode Fuzzy Hash: 275d700e53cd2a23dd95af7c94858fad77d263ba473a30024a1a2df793c9ebad
                                                    • Instruction Fuzzy Hash: 2BC002B19031B4DACAD12B55FF49C463F66EB0C2653018067A10C5D4708E251C50EFD6

                                                    Execution Graph

                                                    Execution Coverage:7.7%
                                                    Dynamic/Decrypted Code Coverage:49.4%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:718
                                                    Total number of Limit Nodes:19
                                                    execution_graph 23476 10027c00 GetProcessHeap HeapReAlloc HeapAlloc 23479 10027008 6 API calls 23480 4ccc40 130 API calls 23481 10029610 FreeLibrary 23544 10026f15 21 API calls 23485 10027218 30 API calls 23466 4b1250 23467 4b125c 23466->23467 23472 4b126c 23466->23472 23475 4b1320 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 23467->23475 23469 4b1266 23470 4b12ea RtlAllocateHeap 23473 4b1301 23470->23473 23471 4b12df GetProcessHeap 23471->23470 23472->23470 23472->23471 23474 4b1274 23472->23474 23475->23469 23486 10026c1e 22 API calls 23487 1001221f 70 API calls 23490 4ccc60 143 API calls 23491 10026e2e 34 API calls 23549 10026f34 34 API calls 23550 10026d35 85 API calls 23494 100249fb 24 API calls 23495 10026c3d 21 API calls 22612 10027c40 22613 10027c86 22612->22613 22614 10027c4d 22612->22614 22615 10027c56 22614->22615 22616 10027c5b 22614->22616 22620 10027ae0 GetModuleHandleA 22615->22620 22616->22613 22617 10027c6b IsBadReadPtr 22616->22617 22617->22613 22619 10027c78 RtlFreeHeap 22617->22619 22619->22613 22620->22616 22905 10027a50 22906 10027a61 22905->22906 22907 10027a8a 22905->22907 22906->22907 22908 10027a64 22906->22908 22923 10026b52 ReleaseMutex 22907->22923 22917 10027aa0 GetProcessHeap 22908->22917 22912 10027a9b 22916 10027a85 22918 10027a6f 22917->22918 22919 10029790 22918->22919 22924 10027474 22919->22924 22922 10026b52 ReleaseMutex 22922->22916 22923->22912 22925 1002747c 22924->22925 22928 10018a96 22925->22928 22927 10027481 22927->22922 22929 10018aab 22928->22929 22932 10018ad3 22929->22932 22931 10018ab0 22931->22927 22933 10018aee 22932->22933 22979 10018eea CreateMutexA 22933->22979 22935 10018af3 22936 10018eea CreateMutexA 22935->22936 22937 10018afd HeapCreate 22936->22937 22938 10018b23 22937->22938 22939 10018b3a HeapCreate 22937->22939 22938->22939 22940 10018b60 22939->22940 22981 1000188f 22940->22981 22942 10018bc0 22987 1000b61e 22942->22987 22944 10018bdc 22945 1000188f 17 API calls 22944->22945 22946 10018c3b 22945->22946 22947 1000b61e 7 API calls 22946->22947 22948 10018c57 22947->22948 22949 1000188f 17 API calls 22948->22949 22950 10018cb6 22949->22950 22951 1000b61e 7 API calls 22950->22951 22952 10018cd2 22951->22952 22953 1000188f 17 API calls 22952->22953 22954 10018d31 22953->22954 22955 1000b61e 7 API calls 22954->22955 22956 10018d4d 22955->22956 22957 1000188f 17 API calls 22956->22957 22958 10018dac 22957->22958 22959 1000b61e 7 API calls 22958->22959 22960 10018dc8 22959->22960 22993 1000710e 22960->22993 22962 10018df2 23003 10018f34 22962->23003 22964 10018dfc 23017 100191e3 22964->23017 22966 10018e06 23029 1000ff10 22966->23029 22968 10018e37 23038 100114f9 22968->23038 22970 10018e43 22971 1000ff10 18 API calls 22970->22971 22972 10018e8f 22971->22972 22973 100114f9 18 API calls 22972->22973 22974 10018e9b 22973->22974 23044 10019f4c 22974->23044 22978 10018ecc 22978->22931 22980 10018f14 22979->22980 22980->22935 22985 100018bd 22981->22985 22982 10001ac2 23055 100283f0 22982->23055 22985->22982 23082 10028090 _CIfmod 22985->23082 22986 10001ae8 22986->22942 22988 1000b631 22987->22988 23094 1000b75c 22988->23094 22990 1000b65c 22991 1000b6cb LdrGetDllHandleEx 22990->22991 22992 1000b6ee 22991->22992 22992->22944 22994 10007121 22993->22994 22995 100071de GetVersionExA 22994->22995 22996 10007273 22995->22996 23117 10027ca0 22996->23117 22998 100072d2 22999 10007362 GetSystemInfo 22998->22999 23002 100074c6 22998->23002 23000 100073f5 22999->23000 23001 10007495 RtlGetNtVersionNumbers 23000->23001 23001->23002 23002->22962 23004 10018f4e 23003->23004 23006 10018f7e 23004->23006 23125 100289c0 23004->23125 23006->22964 23007 10018fad 23008 1000b61e 7 API calls 23007->23008 23009 10019053 23008->23009 23010 1000188f 17 API calls 23009->23010 23011 10019077 23010->23011 23012 10019081 23011->23012 23130 10006051 LdrGetProcedureAddress 23012->23130 23014 1001918a 23014->23006 23015 100190a4 23015->23014 23131 10001d56 IsBadCodePtr 23015->23131 23018 10019205 23017->23018 23020 10019212 23018->23020 23133 100188e1 23018->23133 23020->22966 23021 10019221 23138 100193c2 23021->23138 23023 100192bd 23024 100193c2 38 API calls 23023->23024 23025 10019331 23024->23025 23158 100198cc 25 API calls 23025->23158 23027 1001936a 23159 100198cc 25 API calls 23027->23159 23196 10027f20 23029->23196 23031 1000ff39 23032 10027f20 4 API calls 23031->23032 23033 1000ff58 23032->23033 23034 1000ffe0 RtlComputeCrc32 23033->23034 23035 10010003 23034->23035 23209 10010057 23035->23209 23037 10010034 23037->22968 23039 1001150f 23038->23039 23040 10011520 23038->23040 23041 1000188f 17 API calls 23039->23041 23042 10001d56 IsBadCodePtr 23040->23042 23041->23040 23043 1001161a 23042->23043 23043->22970 23045 10018ec7 23044->23045 23046 10019f74 23044->23046 23054 1001a236 47 API calls 23045->23054 23232 10019ff3 23046->23232 23050 10019fd3 23241 10007fdd 23050->23241 23052 10019fa2 23052->23050 23053 1001a0ce 21 API calls 23052->23053 23053->23052 23054->22978 23056 10028478 23055->23056 23065 1002840f 23055->23065 23057 10028483 23056->23057 23058 10028574 23056->23058 23059 10028489 23057->23059 23060 1002854f sprintf 23057->23060 23061 100285f2 23058->23061 23062 1002857b 23058->23062 23066 10028674 23059->23066 23071 10028517 23059->23071 23072 100284f9 23059->23072 23073 1002849e 23059->23073 23074 1002858f sprintf 23059->23074 23060->23073 23063 1002862a sprintf 23061->23063 23064 100285f9 23061->23064 23067 100285ce sprintf 23062->23067 23068 1002857d 23062->23068 23063->23073 23064->23066 23069 10028604 sprintf 23064->23069 23065->23066 23083 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23065->23083 23066->22986 23067->23073 23075 10028584 23068->23075 23076 100285ae sprintf 23068->23076 23069->23073 23085 10029dc0 6 API calls 23071->23085 23084 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23072->23084 23073->23066 23086 10027bb0 23073->23086 23074->23073 23075->23066 23075->23074 23076->23073 23079 10028469 23079->22986 23080 10028508 23080->22986 23082->22985 23083->23079 23084->23080 23085->23073 23087 10027bc4 RtlAllocateHeap 23086->23087 23088 10027bb9 GetProcessHeap 23086->23088 23089 10027bf5 23087->23089 23090 10027bd9 MessageBoxA 23087->23090 23088->23087 23089->23066 23093 10027b10 ExitProcess 23090->23093 23092 10027bf2 23092->23089 23093->23092 23095 1000b76f 23094->23095 23098 1000210d 23095->23098 23097 1000b7c1 23097->22990 23099 1000212e 23098->23099 23100 10002149 MultiByteToWideChar 23099->23100 23101 10002178 23100->23101 23109 100021b9 23101->23109 23110 100280c0 23101->23110 23103 100021dc 23104 1000220e MultiByteToWideChar 23103->23104 23105 10002239 23104->23105 23105->23109 23115 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23105->23115 23107 100022ce 23107->23109 23116 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23107->23116 23109->23097 23111 100280c9 23110->23111 23112 100280cd 23110->23112 23111->23103 23113 10027bb0 4 API calls 23112->23113 23114 100280d6 23113->23114 23114->23103 23115->23107 23116->23109 23118 10027cb1 23117->23118 23121 10027cb6 23117->23121 23124 10027ae0 GetModuleHandleA 23118->23124 23120 10027d14 23120->22998 23121->23120 23122 10027bb0 4 API calls 23121->23122 23123 10027cf9 23122->23123 23123->22998 23124->23121 23126 100289c9 23125->23126 23127 100289cd 23125->23127 23126->23007 23128 10027bb0 4 API calls 23127->23128 23129 100289d8 23128->23129 23129->23007 23130->23015 23132 10001d82 23131->23132 23132->23014 23134 100289c0 4 API calls 23133->23134 23135 1001890c 23134->23135 23136 10018926 GetSystemDirectoryA 23135->23136 23137 10018944 23136->23137 23137->23021 23139 100193ea 23138->23139 23160 100294c0 23139->23160 23141 10019463 23142 1001947d CopyFileA 23141->23142 23143 100194a0 23142->23143 23167 10028d40 CreateFileA 23143->23167 23145 100194da 23146 10028d40 8 API calls 23145->23146 23147 10019550 23145->23147 23146->23147 23172 10028e50 DeleteFileA 23147->23172 23149 1001959d 23173 10006495 23149->23173 23151 100195b3 23152 100195e3 RtlAllocateHeap 23151->23152 23155 10019832 23151->23155 23153 1001960e 23152->23153 23179 10008edd 23153->23179 23155->23023 23157 1001966e 23187 100094fb 23157->23187 23158->23027 23159->23020 23161 100294d1 GetTempPathA 23160->23161 23162 100294e5 23160->23162 23161->23162 23163 10029543 GetTickCount wsprintfA PathFileExistsA 23162->23163 23163->23163 23164 1002956b 23163->23164 23165 10027bb0 4 API calls 23164->23165 23166 1002957f 23165->23166 23166->23141 23168 10028d64 GetFileSize 23167->23168 23169 10028da9 23167->23169 23170 10027bb0 4 API calls 23168->23170 23169->23145 23171 10028d7d ReadFile CloseHandle 23170->23171 23171->23169 23172->23149 23175 100064ad 23173->23175 23174 1000679e 23174->23151 23175->23174 23176 1000652f RtlMoveMemory 23175->23176 23177 10006669 23176->23177 23178 10027ca0 5 API calls 23177->23178 23178->23174 23180 10008f03 23179->23180 23182 10009276 23180->23182 23191 10028720 25 API calls 23180->23191 23182->23157 23183 100090c4 23184 1000918c RtlMoveMemory 23183->23184 23186 1000919b 23184->23186 23185 10027ca0 5 API calls 23185->23186 23186->23182 23186->23185 23188 10009546 23187->23188 23190 10009658 23188->23190 23192 10009db8 23188->23192 23190->23155 23191->23183 23193 10009dd2 23192->23193 23194 10008edd 26 API calls 23193->23194 23195 10009f35 23193->23195 23194->23195 23195->23190 23197 10027f40 23196->23197 23199 10027f80 23197->23199 23200 10027f4c 23197->23200 23198 10027feb 23198->23031 23199->23198 23201 10027fc2 23199->23201 23202 10027f9b 23199->23202 23217 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23200->23217 23219 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23201->23219 23218 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23202->23218 23205 10027fb8 23205->23031 23206 10027f76 23206->23031 23208 10027fe1 23208->23031 23210 1001006f 23209->23210 23211 100283f0 16 API calls 23210->23211 23212 10010097 23211->23212 23220 10028ad0 23212->23220 23214 100100cc 23227 10028b30 23214->23227 23216 10010173 23216->23037 23217->23206 23218->23205 23219->23208 23221 10028b23 23220->23221 23222 10028ae4 23220->23222 23221->23214 23222->23221 23223 10027bb0 4 API calls 23222->23223 23224 10028afa 23223->23224 23225 10028b05 strncpy 23224->23225 23226 10028b19 23224->23226 23225->23225 23225->23226 23226->23214 23228 10028b91 23227->23228 23229 10028b45 23227->23229 23228->23216 23229->23228 23230 10027bb0 4 API calls 23229->23230 23231 10028b68 23230->23231 23231->23216 23233 1001a00d 23232->23233 23246 1001a031 23233->23246 23236 1001a0ce 23237 10027f20 4 API calls 23236->23237 23238 1001a0f7 23237->23238 23261 1001a199 23238->23261 23240 1001a16d 23240->23052 23242 100280c0 4 API calls 23241->23242 23243 1000800f 23242->23243 23272 10007db8 23243->23272 23245 10008052 23245->23045 23247 1001a047 23246->23247 23255 1001a0a1 23246->23255 23248 1000188f 17 API calls 23247->23248 23251 1001a058 23248->23251 23250 10019f88 23250->23045 23250->23236 23260 100031b3 6 API calls 23251->23260 23253 1001a074 23254 1001a087 InterlockedExchange 23253->23254 23254->23255 23256 10004b1b 23255->23256 23257 10004b3d 23256->23257 23258 10004b2e 23256->23258 23257->23258 23259 10004baa LdrInitializeThunk 23257->23259 23258->23250 23259->23250 23260->23253 23262 1001a209 23261->23262 23263 1001a1af 23261->23263 23264 10004b1b LdrInitializeThunk 23262->23264 23265 1000188f 17 API calls 23263->23265 23266 1001a22b 23264->23266 23267 1001a1c0 23265->23267 23266->23240 23271 100031b3 6 API calls 23267->23271 23269 1001a1dc 23270 1001a1ef InterlockedExchange 23269->23270 23270->23262 23271->23269 23273 10007dce 23272->23273 23274 10007e28 23272->23274 23275 1000188f 17 API calls 23273->23275 23276 10004b1b LdrInitializeThunk 23274->23276 23277 10007ddf 23275->23277 23278 10007e4a 23276->23278 23282 100031b3 6 API calls 23277->23282 23278->23245 23280 10007dfb 23281 10007e0e InterlockedExchange 23280->23281 23281->23274 23282->23280 23499 10027050 62 API calls 23555 10011753 DispatchMessageA CallWindowProcA 23560 530b34 RtlUnwind 23506 1002706f 46 API calls 23562 10026d73 88 API calls 23563 10026b71 23 API calls 23565 1002572d 23 API calls 23508 10026c7b HeapAlloc 23567 10026f7c 45 API calls 22621 4cc8c0 22624 4cc8a0 22621->22624 22627 4c45f0 22624->22627 22626 4cc8b1 22628 4c461b 22627->22628 22629 4c46b3 22627->22629 22631 4c4643 GetProcAddress 22628->22631 22632 4c463a 22628->22632 22630 4c494c 22629->22630 22633 4c46e1 22629->22633 22708 52e958 6 API calls 22629->22708 22630->22626 22637 4c4696 22631->22637 22638 4c4663 22631->22638 22704 52e958 6 API calls 22632->22704 22646 4c481f 22633->22646 22649 4c470c 22633->22649 22707 4c45d0 35 API calls 22637->22707 22705 4cdd80 37 API calls 22638->22705 22641 4c4824 LoadLibraryA 22644 4c4834 GetProcAddress 22641->22644 22641->22646 22642 4c4673 22706 4c49c0 130 API calls 22642->22706 22643 4c469d 22643->22626 22644->22646 22646->22641 22650 4c487a 22646->22650 22652 4c4866 FreeLibrary 22646->22652 22647 4c4685 22653 53fe81 32 API calls 22647->22653 22648 4c47ea LoadLibraryA 22648->22650 22651 4c47f7 GetProcAddress 22648->22651 22649->22648 22654 4c4738 22649->22654 22655 4c4760 22649->22655 22650->22630 22659 4c488f FreeLibrary 22650->22659 22660 4c4896 22650->22660 22651->22650 22657 4c4807 22651->22657 22652->22646 22653->22637 22658 5400ca 38 API calls 22654->22658 22689 5400ca 22655->22689 22657->22650 22662 4c4744 LoadLibraryA 22658->22662 22659->22660 22665 4c48fa 22660->22665 22666 4c48a7 22660->22666 22664 53fe81 32 API calls 22662->22664 22663 5400ca 38 API calls 22667 4c478a LoadLibraryA 22663->22667 22671 4c4754 22664->22671 22711 4cdd80 37 API calls 22665->22711 22709 4cdd80 37 API calls 22666->22709 22699 53fe81 22667->22699 22671->22651 22671->22655 22672 4c48bc 22710 4c49c0 130 API calls 22672->22710 22674 4c490e 22712 4c49c0 130 API calls 22674->22712 22676 53fe81 32 API calls 22679 4c47ab 22676->22679 22678 4c48d3 22681 53fe81 32 API calls 22678->22681 22679->22651 22684 4c47e2 22679->22684 22686 5400ca 38 API calls 22679->22686 22680 4c4925 22682 53fe81 32 API calls 22680->22682 22683 4c48e4 22681->22683 22685 4c4936 22682->22685 22683->22626 22684->22648 22684->22651 22685->22626 22687 4c47d2 LoadLibraryA 22686->22687 22688 53fe81 32 API calls 22687->22688 22688->22684 22690 5400d4 __EH_prolog 22689->22690 22691 5400f3 lstrlenA 22690->22691 22692 5400ef 22690->22692 22691->22692 22713 540026 22692->22713 22694 540111 22717 53fbf6 22694->22717 22697 53fe81 32 API calls 22698 4c4776 22697->22698 22698->22663 22700 53fe91 InterlockedDecrement 22699->22700 22701 4c479a 22699->22701 22700->22701 22702 53fe9f 22700->22702 22701->22676 22740 53fd70 31 API calls 22702->22740 22704->22631 22705->22642 22706->22647 22707->22643 22708->22633 22709->22672 22710->22678 22711->22674 22712->22680 22714 540040 22713->22714 22715 54003a 22713->22715 22714->22694 22722 53fcee 22715->22722 22718 53fc13 22717->22718 22719 53fc05 InterlockedIncrement 22717->22719 22739 53ffbe 35 API calls 22718->22739 22720 53fc23 22719->22720 22720->22697 22725 53fd03 22722->22725 22726 53fcfa 22722->22726 22723 53fd0b 22729 52db4c 22723->22729 22725->22723 22727 53fd4a 22725->22727 22726->22714 22736 53fbc2 29 API calls 22727->22736 22737 531534 22729->22737 22731 52db56 EnterCriticalSection 22732 52db74 22731->22732 22733 52dba5 LeaveCriticalSection 22731->22733 22738 53f6ab 29 API calls 22732->22738 22733->22726 22735 52db86 22735->22733 22736->22726 22737->22731 22738->22735 22739->22720 22740->22701 23511 1002708e 33 API calls 23571 10027192 59 API calls 23283 52f5c7 23286 52f5d9 23283->23286 23287 52f5d6 23286->23287 23289 52f5e0 23286->23289 23289->23287 23290 52f605 23289->23290 23291 52f632 23290->23291 23294 52f675 23290->23294 23297 52f660 23291->23297 23308 536404 29 API calls 23291->23308 23293 52f6e4 RtlAllocateHeap 23304 52f667 23293->23304 23296 52f697 23294->23296 23294->23297 23295 52f648 23309 5379b1 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 23295->23309 23311 536404 29 API calls 23296->23311 23297->23293 23297->23304 23300 52f653 23310 52f66c LeaveCriticalSection 23300->23310 23302 52f69e 23312 538454 6 API calls 23302->23312 23304->23289 23305 52f6b1 23313 52f6cb LeaveCriticalSection 23305->23313 23307 52f6be 23307->23297 23307->23304 23308->23295 23309->23300 23310->23297 23311->23302 23312->23305 23313->23307 23574 10026f9b 23 API calls 23340 52dcc8 GetVersion 23372 533d48 HeapCreate 23340->23372 23342 52dd26 23343 52dd33 23342->23343 23344 52dd2b 23342->23344 23384 533b05 37 API calls 23343->23384 23392 52ddf5 8 API calls 23344->23392 23348 52dd38 23349 52dd44 23348->23349 23350 52dd3c 23348->23350 23385 533949 34 API calls 23349->23385 23393 52ddf5 8 API calls 23350->23393 23354 52dd4e GetCommandLineA 23386 533817 37 API calls 23354->23386 23356 52dd5e 23394 5335ca 49 API calls 23356->23394 23358 52dd68 23387 533511 48 API calls 23358->23387 23360 52dd6d 23361 52dd72 GetStartupInfoA 23360->23361 23388 5334b9 48 API calls 23361->23388 23363 52dd84 23364 52dd8d 23363->23364 23365 52dd96 GetModuleHandleA 23364->23365 23389 53d62e 23365->23389 23369 52ddb1 23396 533341 36 API calls 23369->23396 23371 52ddc2 23373 533d68 23372->23373 23374 533d9e 23372->23374 23397 533c00 57 API calls 23373->23397 23374->23342 23376 533d6d 23377 533d77 23376->23377 23378 533d84 23376->23378 23398 537615 HeapAlloc 23377->23398 23380 533da1 23378->23380 23399 53815c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 23378->23399 23380->23342 23382 533d81 23382->23380 23383 533d92 HeapDestroy 23382->23383 23383->23374 23384->23348 23385->23354 23386->23356 23387->23360 23388->23363 23400 545e8b 23389->23400 23394->23358 23395 532474 32 API calls 23395->23369 23396->23371 23397->23376 23398->23382 23399->23382 23401 544bec 65 API calls 23400->23401 23402 545e96 23401->23402 23403 5497bf 65 API calls 23402->23403 23404 545e9d 23403->23404 23411 54a610 SetErrorMode SetErrorMode 23404->23411 23408 52dda8 23408->23395 23409 545ed2 23422 54aecf 68 API calls 23409->23422 23410 53fcee 31 API calls 23410->23409 23412 5497bf 65 API calls 23411->23412 23413 54a627 23412->23413 23414 5497bf 65 API calls 23413->23414 23415 54a636 23414->23415 23416 54a65c 23415->23416 23423 54a673 23415->23423 23418 5497bf 65 API calls 23416->23418 23419 54a661 23418->23419 23420 545eb5 23419->23420 23442 544c01 23419->23442 23420->23409 23420->23410 23422->23408 23424 5497bf 65 API calls 23423->23424 23425 54a686 GetModuleFileNameA 23424->23425 23453 52fc97 29 API calls 23425->23453 23427 54a6b8 23454 54a790 lstrlenA lstrcpynA 23427->23454 23429 54a6d4 23430 54a6ea 23429->23430 23459 53241c 29 API calls 23429->23459 23432 54a724 23430->23432 23455 545771 23430->23455 23433 54a73c lstrcpyA 23432->23433 23434 54a757 23432->23434 23461 53241c 29 API calls 23433->23461 23437 54a766 lstrcatA 23434->23437 23438 54a784 23434->23438 23462 53241c 29 API calls 23437->23462 23438->23416 23443 5497bf 65 API calls 23442->23443 23444 544c06 23443->23444 23445 544c5e 23444->23445 23463 549588 23444->23463 23445->23420 23448 549ddc 7 API calls 23449 544c3c 23448->23449 23450 544c49 23449->23450 23451 5497bf 65 API calls 23449->23451 23452 549d47 65 API calls 23450->23452 23451->23450 23452->23445 23453->23427 23454->23429 23456 5497bf 65 API calls 23455->23456 23457 545777 LoadStringA 23456->23457 23458 545792 23457->23458 23460 53241c 29 API calls 23458->23460 23459->23430 23460->23432 23461->23434 23462->23438 23464 549d47 65 API calls 23463->23464 23465 544c12 GetCurrentThreadId SetWindowsHookExA 23464->23465 23465->23448 23514 10026e99 89 API calls 23517 100274b1 10 API calls 23314 53fbeb 23317 52f4de 23314->23317 23318 52f5b8 23317->23318 23319 52f50c 23317->23319 23320 52f551 23319->23320 23321 52f516 23319->23321 23322 52f542 23320->23322 23337 536404 29 API calls 23320->23337 23334 536404 29 API calls 23321->23334 23322->23318 23324 52f5aa RtlFreeHeap 23322->23324 23324->23318 23326 52f51d 23327 52f537 23326->23327 23335 537688 VirtualFree VirtualFree HeapFree 23326->23335 23336 52f548 LeaveCriticalSection 23327->23336 23328 52f55d 23333 52f589 23328->23333 23338 53840f VirtualFree HeapFree VirtualFree 23328->23338 23339 52f5a0 LeaveCriticalSection 23333->23339 23334->23326 23335->23327 23336->23322 23337->23328 23338->23333 23339->23322 23519 1002a472 __CxxFrameHandler 23520 10026eb8 90 API calls 23521 10026cb9 23 API calls 23524 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23581 10026dc5 30 API calls 22741 4ccc80 22744 4c6680 22741->22744 22743 4ccca5 22745 4c66bc 22744->22745 22746 4c66c0 22745->22746 22748 4c66d2 22745->22748 22827 4c49c0 130 API calls 22746->22827 22749 4c6704 22748->22749 22754 4c687c 22748->22754 22750 4c682f 22749->22750 22751 4c67e1 22749->22751 22752 4c6792 22749->22752 22753 4c6733 22749->22753 22772 4c66cd 22749->22772 22773 4c6a06 22749->22773 22775 4c6914 22749->22775 22777 4c6b10 22749->22777 22785 4c6ab0 22749->22785 22760 4c6867 22750->22760 22761 4c6852 22750->22761 22750->22772 22758 4c681a 22751->22758 22759 4c6805 22751->22759 22751->22772 22756 4c67cc 22752->22756 22757 4c67b7 22752->22757 22752->22772 22828 52eaa4 29 API calls 22753->22828 22755 4c68c0 IsWindow 22754->22755 22769 4c68d6 22754->22769 22755->22769 22832 4c6580 58 API calls 22756->22832 22831 4c6580 58 API calls 22757->22831 22834 4c6580 58 API calls 22758->22834 22833 4c6580 58 API calls 22759->22833 22836 4c6580 58 API calls 22760->22836 22835 4c6580 58 API calls 22761->22835 22770 4c6ee9 22769->22770 22771 4c6902 22769->22771 22774 4c6f03 22770->22774 22848 4c49c0 130 API calls 22770->22848 22771->22772 22771->22773 22771->22775 22771->22777 22771->22785 22772->22743 22773->22772 22779 4c6a55 GetWindowRect 22773->22779 22783 4c702a 22774->22783 22801 4c6fbc 22774->22801 22814 4c6f38 22774->22814 22775->22772 22780 4c696d GetWindowRect GetParent 22775->22780 22776 4c674d 22776->22772 22829 4c01c0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22776->22829 22777->22772 22790 4c6bb4 22777->22790 22791 4c6ba5 22777->22791 22781 4c6a94 22779->22781 22782 4c6a76 22779->22782 22837 541884 66 API calls 22780->22837 22842 54420b SetWindowPos 22781->22842 22841 54420b SetWindowPos 22782->22841 22787 4c7180 22783->22787 22808 4c703f 22783->22808 22843 4c01c0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22785->22843 22787->22814 22851 4ce6c0 70 API calls 22787->22851 22796 4c6d3a 22790->22796 22823 4c6bd9 22790->22823 22844 54425a 22791->22844 22792 4c6990 22797 4c69b0 22792->22797 22838 5440f2 GetWindowLongA 22792->22838 22794 4c6781 22830 4c6580 58 API calls 22794->22830 22847 4c2b40 92 API calls 22796->22847 22840 5441ca MoveWindow 22797->22840 22801->22814 22849 4b19a0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22801->22849 22803 4c7283 IsWindow 22803->22772 22806 4c728e 22803->22806 22804 4c699d 22804->22797 22839 5466be GetWindowLongA ScreenToClient ScreenToClient 22804->22839 22806->22772 22811 4c72a2 22806->22811 22809 4c7076 GetStockObject GetObjectA 22808->22809 22812 4c7065 22808->22812 22809->22812 22852 4c40b0 PeekMessageA 22811->22852 22812->22814 22850 4ce6c0 70 API calls 22812->22850 22814->22772 22814->22803 22818 4c72cf 22819 4c40b0 67 API calls 22818->22819 22821 4c72d6 22819->22821 22820 4c6d21 22820->22772 22822 54425a ShowWindow 22820->22822 22821->22772 22822->22772 22823->22772 22823->22820 22824 4c6c84 IsWindow 22823->22824 22824->22820 22826 4c6c96 22824->22826 22825 4b4d90 SendMessageA 22825->22826 22826->22823 22826->22825 22827->22772 22828->22776 22829->22794 22830->22772 22831->22772 22832->22772 22833->22772 22834->22772 22835->22772 22836->22772 22837->22792 22838->22804 22839->22797 22840->22772 22841->22772 22842->22772 22843->22772 22845 544270 22844->22845 22846 544261 ShowWindow 22844->22846 22845->22772 22846->22845 22847->22772 22848->22774 22849->22814 22850->22814 22851->22814 22853 4c40cd 22852->22853 22854 4c40f3 22852->22854 22853->22854 22856 4c40e0 PeekMessageA 22853->22856 22858 544bec 22853->22858 22857 4c4110 110 API calls 22854->22857 22856->22853 22856->22854 22857->22818 22863 5497e5 22858->22863 22860 544bfd 22860->22853 22864 5497bf 65 API calls 22863->22864 22865 5497ea 22864->22865 22873 549d47 22865->22873 22868 5497bf 22869 549d47 65 API calls 22868->22869 22871 5497ce 22869->22871 22870 5497e4 22870->22860 22871->22870 22897 549ddc 22871->22897 22874 549d50 22873->22874 22875 549d7d TlsGetValue 22873->22875 22877 549d6a 22874->22877 22884 549947 65 API calls 22874->22884 22876 549d90 22875->22876 22880 544bf1 22876->22880 22881 549da3 22876->22881 22885 5499e0 EnterCriticalSection 22877->22885 22879 549d7b 22879->22875 22880->22860 22880->22868 22895 549b4f 65 API calls 22881->22895 22884->22877 22891 5499ff 22885->22891 22886 549ad0 LeaveCriticalSection 22886->22879 22887 549abb 22887->22886 22888 549a4c GlobalHandle GlobalUnlock GlobalReAlloc 22890 549a6e 22888->22890 22889 549a39 GlobalAlloc 22889->22890 22892 549a97 GlobalLock 22890->22892 22893 549a7c GlobalHandle GlobalLock LeaveCriticalSection 22890->22893 22891->22887 22891->22888 22891->22889 22892->22887 22896 53ded1 65 API calls __EH_prolog 22893->22896 22895->22880 22896->22892 22898 549de6 __EH_prolog 22897->22898 22899 549e14 22898->22899 22903 54aa8c 6 API calls 22898->22903 22899->22870 22901 549dfd 22904 54aafc LeaveCriticalSection 22901->22904 22903->22901 22904->22899 23584 10026bd6 25 API calls 23527 532485 32 API calls 23528 100270d8 28 API calls 23529 10026cd8 22 API calls 23587 10026de4 84 API calls 23533 5490bd 65 API calls __EH_prolog 23591 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 23592 100293f0 ??3@YAXPAX 23536 10026ef6 75 API calls 23537 10026cf7 43 API calls 23538 4cceb0 HeapFree

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1011 100193c2-10019472 call 1002748d * 3 call 100294c0 1020 10019474-1001947a call 10027487 1011->1020 1021 1001947d-1001949e CopyFileA 1011->1021 1020->1021 1023 100194a0-100194b4 call 10027499 1021->1023 1024 100194b7-100194c3 1021->1024 1023->1024 1027 100194c5 1024->1027 1028 100194ca-100194e9 call 10028d40 1024->1028 1027->1028 1032 100194f4-10019504 1028->1032 1033 100194eb-100194f1 call 10027487 1028->1033 1035 10019506 1032->1035 1036 1001950b-10019525 call 10028000 1032->1036 1033->1032 1035->1036 1040 1001952b-10019539 1036->1040 1041 1001956e-10019586 call 1000241a 1036->1041 1043 10019540-1001955f call 10028d40 1040->1043 1044 1001953b 1040->1044 1047 10019588 1041->1047 1048 1001958d-100195b5 call 10028e50 call 10006495 1041->1048 1051 10019561-10019567 call 10027487 1043->1051 1052 1001956a-1001956b 1043->1052 1044->1043 1047->1048 1058 100195d6 1048->1058 1059 100195bb-100195c9 1048->1059 1051->1052 1052->1041 1061 100195db-100195dd 1058->1061 1059->1058 1060 100195cf-100195d4 1059->1060 1060->1061 1062 100195e3-1001960c RtlAllocateHeap 1061->1062 1063 10019832-10019840 1061->1063 1064 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 1062->1064 1065 1001960e-10019622 call 10027499 1062->1065 1069 10019842-10019848 call 10027487 1063->1069 1070 1001984b-10019850 1063->1070 1097 10019689-10019691 1064->1097 1065->1064 1069->1070 1074 10019852-10019858 call 10027487 1070->1074 1075 1001985b-10019882 call 10027487 * 2 1070->1075 1074->1075 1087 10019895 1075->1087 1088 10019884 1075->1088 1091 1001989b-100198bb call 10027487 * 2 1087->1091 1092 100198bd-100198c9 call 10027487 1087->1092 1090 10019886-1001988a 1088->1090 1094 10019891-10019893 1090->1094 1095 1001988c-1001988f 1090->1095 1091->1092 1094->1087 1095->1090 1100 10019822-1001982d call 100094fb 1097->1100 1101 10019697-100196a5 call 10001000 1097->1101 1100->1063 1108 100196a7-100196bb call 10027499 1101->1108 1109 100196be-100196c2 1101->1109 1108->1109 1111 100196c4-100196d8 call 10027499 1109->1111 1112 100196db-10019736 call 10001b27 call 10001000 1109->1112 1111->1112 1120 10019738-1001974c call 10027499 1112->1120 1121 1001974f-10019753 1112->1121 1120->1121 1122 10019755-10019769 call 10027499 1121->1122 1123 1001976c-100197c7 call 10001b27 call 10001000 1121->1123 1122->1123 1132 100197e0-100197e4 1123->1132 1133 100197c9-100197dd call 10027499 1123->1133 1135 100197e6-100197fa call 10027499 1132->1135 1136 100197fd-1001981d call 10007b67 1132->1136 1133->1132 1135->1136 1136->1097
                                                    APIs
                                                      • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                      • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                      • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                      • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                    • String ID: @
                                                    • API String ID: 183890193-2766056989
                                                    • Opcode ID: 18b586d84286487eb4998f70b0221884ed49b53f03fc69af3a470360e7e03aa0
                                                    • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                    • Opcode Fuzzy Hash: 18b586d84286487eb4998f70b0221884ed49b53f03fc69af3a470360e7e03aa0
                                                    • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1157 1000710e-10007271 call 1002748d * 5 GetVersionExA 1168 10007273-10007287 call 10027499 1157->1168 1169 1000728a-100072e2 call 10027ca0 1157->1169 1168->1169 1174 100072f3-100072f9 1169->1174 1175 100072e4 1169->1175 1177 10007300-1000734b call 10027487 1174->1177 1178 100072fb 1174->1178 1176 100072e6-100072ea 1175->1176 1179 100072f1 1176->1179 1180 100072ec-100072ef 1176->1180 1183 10007351-100073f3 call 1002748d GetSystemInfo 1177->1183 1184 100077ad-100077b2 1177->1184 1178->1177 1179->1174 1180->1176 1189 100073f5-10007409 call 10027499 1183->1189 1190 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 1183->1190 1185 100077b7-100077f1 call 10027487 * 4 1184->1185 1189->1190 1198 100074c6-100074da call 10027499 1190->1198 1199 100074dd-10007520 1190->1199 1198->1199 1202 10007552-10007556 1199->1202 1203 10007526-1000752a 1199->1203 1205 10007630-10007634 1202->1205 1206 1000755c-10007560 1202->1206 1208 10007530-10007534 1203->1208 1209 1000754d 1203->1209 1213 1000778a-1000778e 1205->1213 1214 1000763a-1000763e 1205->1214 1211 10007591-10007595 1206->1211 1212 10007566-10007574 1206->1212 1215 10007546 1208->1215 1216 1000753a-10007541 1208->1216 1218 100077a5-100077a8 1209->1218 1222 100075c6-100075ca 1211->1222 1223 1000759b-100075a9 1211->1223 1219 10007584 1212->1219 1220 1000757a-1000757f 1212->1220 1213->1218 1221 10007794-10007798 1213->1221 1224 10007650-10007654 1214->1224 1225 10007644-1000764b 1214->1225 1215->1209 1216->1209 1218->1185 1226 10007589-1000758c 1219->1226 1220->1226 1221->1218 1227 1000779e 1221->1227 1232 100075d0-100075de 1222->1232 1233 100075fb-100075ff 1222->1233 1228 100075b9 1223->1228 1229 100075af-100075b4 1223->1229 1230 10007785 1224->1230 1231 1000765a-1000766f 1224->1231 1225->1230 1235 1000762b 1226->1235 1227->1218 1236 100075be-100075c1 1228->1236 1229->1236 1230->1218 1244 10007671-10007685 call 10027499 1231->1244 1245 10007688-1000768f 1231->1245 1237 100075e4-100075e9 1232->1237 1238 100075ee 1232->1238 1234 10007605-10007613 1233->1234 1233->1235 1239 10007623 1234->1239 1240 10007619-1000761e 1234->1240 1235->1218 1236->1235 1242 100075f3-100075f6 1237->1242 1238->1242 1243 10007628 1239->1243 1240->1243 1242->1235 1243->1235 1244->1245 1246 100076a1-100076a5 1245->1246 1247 10007695-1000769c 1245->1247 1249 100076c7 1246->1249 1250 100076ab-100076ba 1246->1250 1247->1230 1253 100076cc-100076ce 1249->1253 1250->1249 1252 100076c0-100076c5 1250->1252 1252->1253 1254 100076e0-1000771d call 10028950 1253->1254 1255 100076d4-100076db 1253->1255 1258 10007723-1000772a 1254->1258 1259 1000772f-1000776c call 10028950 1254->1259 1255->1230 1258->1230 1262 10007772-10007779 1259->1262 1263 1000777e 1259->1263 1262->1230 1263->1230
                                                    APIs
                                                    • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                    • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                    • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Version$InfoNumbersSystem
                                                    • String ID:
                                                    • API String ID: 995872648-0
                                                    • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                    • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                    • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                    • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1264 10007fdd-1000801e call 100280c0 1267 10008020-10008026 call 10027487 1264->1267 1268 10008029-10008059 call 1000241a call 10007db8 1264->1268 1267->1268 1275 10008098-1000809d 1268->1275 1276 1000805f-10008063 1268->1276 1277 100080a8-100080ab 1275->1277 1278 1000809f-100080a5 call 10027487 1275->1278 1276->1275 1279 10008069-1000806c 1276->1279 1278->1277 1282 10008075-1000807c 1279->1282 1283 10008095 1282->1283 1284 1000807e-10008092 call 10027499 1282->1284 1283->1275 1284->1283
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID: `+gw
                                                    • API String ID: 3535843008-3399981281
                                                    • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                    • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                    • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                    • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1287 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1293 10018b23-10018b37 call 10027499 1287->1293 1294 10018b3a-10018b5e HeapCreate 1287->1294 1293->1294 1296 10018b60-10018b74 call 10027499 1294->1296 1297 10018b77-10018b8e call 10001000 1294->1297 1296->1297 1303 10018b90-10018ba4 call 10027499 1297->1303 1304 10018ba7-10018bc8 call 1000188f 1297->1304 1303->1304 1309 10018bd3-10018be4 call 1000b61e 1304->1309 1310 10018bca-10018bd0 call 10027487 1304->1310 1315 10018be6-10018bec call 10027487 1309->1315 1316 10018bef-10018c09 call 10001000 1309->1316 1310->1309 1315->1316 1321 10018c22-10018c43 call 1000188f 1316->1321 1322 10018c0b-10018c1f call 10027499 1316->1322 1327 10018c45-10018c4b call 10027487 1321->1327 1328 10018c4e-10018c5f call 1000b61e 1321->1328 1322->1321 1327->1328 1333 10018c61-10018c67 call 10027487 1328->1333 1334 10018c6a-10018c84 call 10001000 1328->1334 1333->1334 1339 10018c86-10018c9a call 10027499 1334->1339 1340 10018c9d-10018cbe call 1000188f 1334->1340 1339->1340 1345 10018cc0-10018cc6 call 10027487 1340->1345 1346 10018cc9-10018cda call 1000b61e 1340->1346 1345->1346 1351 10018ce5-10018cff call 10001000 1346->1351 1352 10018cdc-10018ce2 call 10027487 1346->1352 1357 10018d01-10018d15 call 10027499 1351->1357 1358 10018d18-10018d39 call 1000188f 1351->1358 1352->1351 1357->1358 1363 10018d44-10018d55 call 1000b61e 1358->1363 1364 10018d3b-10018d41 call 10027487 1358->1364 1369 10018d60-10018d7a call 10001000 1363->1369 1370 10018d57-10018d5d call 10027487 1363->1370 1364->1363 1375 10018d93-10018db4 call 1000188f 1369->1375 1376 10018d7c-10018d90 call 10027499 1369->1376 1370->1369 1381 10018db6-10018dbc call 10027487 1375->1381 1382 10018dbf-10018dd0 call 1000b61e 1375->1382 1376->1375 1381->1382 1387 10018dd2-10018dd8 call 10027487 1382->1387 1388 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1382->1388 1387->1388 1405 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1388->1405 1406 10018e4d-10018e53 call 10027487 1388->1406 1415 10018ea5-10018eab call 10027487 1405->1415 1416 10018eae-10018ec2 call 10019f4c 1405->1416 1406->1405 1415->1416 1420 10018ec7-10018ee9 call 1001a236 1416->1420
                                                    APIs
                                                      • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                    • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                      • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Create$Heap$ComputeCrc32Mutex
                                                    • String ID:
                                                    • API String ID: 3311811139-0
                                                    • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                    • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                    • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                    • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                    • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                    • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                    • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                    • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                    • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                    • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 486 4c45f0-4c4615 487 4c461b-4c4626 486->487 488 4c46b3-4c46c2 486->488 489 4c4628-4c4632 487->489 490 4c4635-4c4638 487->490 491 4c496f-4c4980 488->491 492 4c46c8-4c46d8 488->492 489->490 493 4c464d 490->493 494 4c463a-4c464b call 52e958 490->494 495 4c46e9-4c4706 call 4b1bf0 492->495 496 4c46da-4c46e4 call 52e958 492->496 499 4c464f-4c4661 GetProcAddress 493->499 494->499 507 4c470c-4c471f call 52f970 495->507 508 4c481f 495->508 496->495 503 4c4696-4c46b0 call 4c45d0 499->503 504 4c4663-4c4691 call 4cdd80 call 4c49c0 call 53fe81 499->504 504->503 521 4c47ea-4c47f1 LoadLibraryA 507->521 522 4c4725-4c4736 507->522 510 4c4824-4c4832 LoadLibraryA 508->510 514 4c486f-4c4878 510->514 515 4c4834-4c4842 GetProcAddress 510->515 514->510 523 4c487a-4c4885 514->523 518 4c485a-4c4864 515->518 519 4c4844-4c484f 515->519 518->523 526 4c4866-4c486d FreeLibrary 518->526 519->518 525 4c4851-4c4857 519->525 521->523 524 4c47f7-4c4805 GetProcAddress 521->524 528 4c4738-4c4756 call 5400ca LoadLibraryA call 53fe81 522->528 529 4c4760-4c47ad call 5400ca * 2 LoadLibraryA call 53fe81 * 2 522->529 530 4c494c-4c494e 523->530 531 4c488b-4c488d 523->531 524->523 535 4c4807-4c4812 524->535 525->518 526->514 528->524 554 4c475c 528->554 529->524 565 4c47af-4c47c0 529->565 533 4c4966-4c496c 530->533 534 4c4950-4c495b 530->534 537 4c488f-4c4890 FreeLibrary 531->537 538 4c4896-4c48a5 call 4b1bf0 531->538 533->491 534->533 541 4c495d-4c4963 534->541 535->523 542 4c4814-4c481d 535->542 537->538 547 4c48fa-4c4949 call 4cdd80 call 4c49c0 call 53fe81 538->547 548 4c48a7-4c48f7 call 4cdd80 call 4c49c0 call 53fe81 538->548 541->533 542->523 554->529 568 4c47e2-4c47e4 565->568 569 4c47c2-4c47dd call 5400ca LoadLibraryA call 53fe81 565->569 568->524 572 4c47e6 568->572 569->568 572->521
                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,007E75F4), ref: 004C4657
                                                    • LoadLibraryA.KERNEL32(?,?,007F7FD8), ref: 004C4747
                                                    • LoadLibraryA.KERNEL32(?,?), ref: 004C478D
                                                    • LoadLibraryA.KERNEL32(?,?,007F7EE0,00000001), ref: 004C47D5
                                                    • LoadLibraryA.KERNEL32(00000001), ref: 004C47EB
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004C47FD
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004C4890
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressProc$Free
                                                    • String ID: z}
                                                    • API String ID: 3120990465-525666401
                                                    • Opcode ID: 28ba6f5a5f4a5de310bd756f26aec77ae490bdf039b557b6098d2d28c867c74a
                                                    • Instruction ID: b24586c34ea4d5a4f17fe2c9cada23a81f7d34b64050b80aa2a0c0419b811f07
                                                    • Opcode Fuzzy Hash: 28ba6f5a5f4a5de310bd756f26aec77ae490bdf039b557b6098d2d28c867c74a
                                                    • Instruction Fuzzy Hash: E4A1D2B9A003429BC354EF64C8A4FABB3A8FFD9314F04462EF81587351D738E9058BA5

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 575 5499e0-5499fd EnterCriticalSection 576 549a0c-549a11 575->576 577 5499ff-549a06 575->577 579 549a13-549a16 576->579 580 549a2e-549a37 576->580 577->576 578 549ac5-549ac8 577->578 581 549ad0-549af1 LeaveCriticalSection 578->581 582 549aca-549acd 578->582 583 549a19-549a1c 579->583 584 549a4c-549a68 GlobalHandle GlobalUnlock GlobalReAlloc 580->584 585 549a39-549a4a GlobalAlloc 580->585 582->581 587 549a26-549a28 583->587 588 549a1e-549a24 583->588 586 549a6e-549a7a 584->586 585->586 589 549a97-549ac4 GlobalLock call 5315f0 586->589 590 549a7c-549a92 GlobalHandle GlobalLock LeaveCriticalSection call 53ded1 586->590 587->578 587->580 588->583 588->587 589->578 590->589
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00826AA0,00826A74,00000000,?,00826A84,00826A84,00549D7B,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96,?,00000000), ref: 005499EF
                                                    • GlobalAlloc.KERNEL32(00002002,00000000,?,?,00826A84,00826A84,00549D7B,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96,?,00000000), ref: 00549A44
                                                    • GlobalHandle.KERNEL32(00B84460), ref: 00549A4D
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00549A56
                                                    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549A68
                                                    • GlobalHandle.KERNEL32(00B84460), ref: 00549A7F
                                                    • GlobalLock.KERNEL32(00000000), ref: 00549A86
                                                    • LeaveCriticalSection.KERNEL32(0052DDA8,?,?,00826A84,00826A84,00549D7B,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96,?,00000000), ref: 00549A8C
                                                    • GlobalLock.KERNEL32(00000000), ref: 00549A9B
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00549AE4
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                    • String ID:
                                                    • API String ID: 2667261700-0
                                                    • Opcode ID: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                                                    • Instruction ID: 4f8166a8f1f4e6fff3fbf02aa1c08d632a4cb6cf359e0752492905e01ba98f7c
                                                    • Opcode Fuzzy Hash: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                                                    • Instruction Fuzzy Hash: F53194752007069FDB249F25DC9A96BBBE9FB84305F050A2DF456C36A1E771E848CB10

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 728 100294c0-100294cf 729 100294d1-100294e3 GetTempPathA 728->729 730 100294eb-10029511 728->730 731 10029513-1002952c 729->731 732 100294e5-100294e9 729->732 730->731 733 10029531-1002953d 731->733 734 1002952e 731->734 732->731 735 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 733->735 734->733 735->735 736 1002956b-100295b3 call 10027bb0 735->736
                                                    APIs
                                                    • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                    • GetTickCount.KERNEL32 ref: 10029543
                                                    • wsprintfA.USER32 ref: 10029558
                                                    • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Path$CountExistsFileTempTickwsprintf
                                                    • String ID: %s%x.tmp
                                                    • API String ID: 3843276195-78920241
                                                    • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                    • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                    • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                    • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 999 10027bb0-10027bb7 1000 10027bc4-10027bd7 RtlAllocateHeap 999->1000 1001 10027bb9-10027bbf GetProcessHeap 999->1001 1002 10027bf5-10027bf8 1000->1002 1003 10027bd9-10027bf2 MessageBoxA call 10027b10 1000->1003 1001->1000 1003->1002
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                    • RtlAllocateHeap.NTDLL(00B80000,00000008,?,?,10028674), ref: 10027BCD
                                                    • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocateMessageProcess
                                                    • String ID: error
                                                    • API String ID: 2992861138-1574812785
                                                    • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                    • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                    • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                    • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1006 10028d40-10028d62 CreateFileA 1007 10028d64-10028da8 GetFileSize call 10027bb0 ReadFile CloseHandle 1006->1007 1008 10028da9-10028daa 1006->1008 1007->1008
                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                    • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                      • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                      • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00B80000,00000008,?,?,10028674), ref: 10027BCD
                                                      • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                    • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                    • String ID:
                                                    • API String ID: 749537981-0
                                                    • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                    • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                    • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                    • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1142 544c01-544c0a call 5497bf 1145 544c0c-544c37 call 549588 GetCurrentThreadId SetWindowsHookExA call 549ddc 1142->1145 1146 544c5f 1142->1146 1150 544c3c-544c42 1145->1150 1151 544c44-544c49 call 5497bf 1150->1151 1152 544c4f-544c5e call 549d47 1150->1152 1151->1152 1152->1146
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00544C14
                                                    • SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 00544C24
                                                      • Part of subcall function 00549DDC: __EH_prolog.LIBCMT ref: 00549DE1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CurrentH_prologHookThreadWindows
                                                    • String ID: V`H
                                                    • API String ID: 2183259885-1425837005
                                                    • Opcode ID: 27b997f6f7179cb0b2779c966f14897fa4399675d54a179ccde032838a98a252
                                                    • Instruction ID: 87dbf15fe9ba73776dd891609e4a4d1bd61d5b6f110f75bd9d376146e84fbf59
                                                    • Opcode Fuzzy Hash: 27b997f6f7179cb0b2779c966f14897fa4399675d54a179ccde032838a98a252
                                                    • Instruction Fuzzy Hash: B4F0EC315803516FCB653B70A90FBDA3E60FF8172DF040214F2119A4E2DA708C858B51

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1425 4b1250-4b125a 1426 4b126c-4b1272 1425->1426 1427 4b125c-4b1269 call 4b1320 1425->1427 1429 4b127c-4b1288 1426->1429 1430 4b1274-4b1279 1426->1430 1432 4b128a-4b1290 1429->1432 1433 4b12d6-4b12dd 1429->1433 1432->1433 1436 4b1292-4b1298 1432->1436 1434 4b12ea-4b12ff RtlAllocateHeap 1433->1434 1435 4b12df-4b12e5 GetProcessHeap 1433->1435 1437 4b130d-4b1316 1434->1437 1438 4b1301-4b130a 1434->1438 1435->1434 1436->1433 1439 4b129a-4b12d3 call 513f10 1436->1439
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65c0620cca44ce1836006fb26f76a04352bcddd32108ef6c4988ce719da8f37e
                                                    • Instruction ID: 257c5965780043ca074fcd81bf9be300c55a239d83c9bfd71556b5287a9629b6
                                                    • Opcode Fuzzy Hash: 65c0620cca44ce1836006fb26f76a04352bcddd32108ef6c4988ce719da8f37e
                                                    • Instruction Fuzzy Hash: 17214CB67007008FE720CF6AD884A97B7E8EBA0315F50C86FE155C7660E374E814CB68

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1442 54a610-54a63b SetErrorMode * 2 call 5497bf * 2 1447 54a65c-54a666 call 5497bf 1442->1447 1448 54a63d-54a657 call 54a673 1442->1448 1452 54a66d-54a670 1447->1452 1453 54a668 call 544c01 1447->1453 1448->1447 1453->1452
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00545EB5,00000000,00000000,00000000,00000000,?,00000000,?,0053D643,00000000,00000000,00000000,00000000,0052DDA8), ref: 0054A619
                                                    • SetErrorMode.KERNEL32(00000000,?,00000000,?,0053D643,00000000,00000000,00000000,00000000,0052DDA8,00000000), ref: 0054A620
                                                      • Part of subcall function 0054A673: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A6A4
                                                      • Part of subcall function 0054A673: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A745
                                                      • Part of subcall function 0054A673: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A772
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                    • String ID:
                                                    • API String ID: 3389432936-0
                                                    • Opcode ID: a950021dbd7f2cff136bb401d917dbb3d2cd5524086a1a0ce42b0edfcb3f18c1
                                                    • Instruction ID: 61290f7f7966688914ff4d8210981358b095b91cde57544b162207b09e7d6391
                                                    • Opcode Fuzzy Hash: a950021dbd7f2cff136bb401d917dbb3d2cd5524086a1a0ce42b0edfcb3f18c1
                                                    • Instruction Fuzzy Hash: B3F037759A42118FD754BF24D449A8A7FE5BF84714F0A848AF4489B3A2CB70D840CF96

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1455 4c40b0-4c40cb PeekMessageA 1456 4c40cd-4c40d2 1455->1456 1457 4c40f3-4c40f7 1455->1457 1456->1457 1458 4c40d4-4c40f1 call 544bec PeekMessageA 1456->1458 1458->1456 1458->1457
                                                    APIs
                                                    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C40C7
                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C40ED
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: MessagePeek
                                                    • String ID:
                                                    • API String ID: 2222842502-0
                                                    • Opcode ID: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                                                    • Instruction ID: 3060bef3242b9e64f1d83d7d4beb61524e2d549d16d15d59f0f09b8f25f1f37b
                                                    • Opcode Fuzzy Hash: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                                                    • Instruction Fuzzy Hash: D9F06535680312AAFA20E6A48D16F5A36587F84B00F64445EB7009B1D5D6B4E4048AAA
                                                    APIs
                                                    • HeapCreate.KERNEL32(00000000,00001000,00000000,0052DD26,00000001), ref: 00533D59
                                                      • Part of subcall function 00533C00: GetVersionExA.KERNEL32 ref: 00533C1F
                                                    • HeapDestroy.KERNEL32 ref: 00533D98
                                                      • Part of subcall function 00537615: HeapAlloc.KERNEL32(00000000,00000140,00533D81,000003F8), ref: 00537622
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocCreateDestroyVersion
                                                    • String ID:
                                                    • API String ID: 2507506473-0
                                                    • Opcode ID: af64821078d90016b58e6de7cd4c4c17b93af33b7c5ffedb6c6ceb7551cc911c
                                                    • Instruction ID: 3005f0fa4dea441b7e9ff5c19e1f18e0758b21afb4d3c8aa1a5068578a6eae4d
                                                    • Opcode Fuzzy Hash: af64821078d90016b58e6de7cd4c4c17b93af33b7c5ffedb6c6ceb7551cc911c
                                                    • Instruction Fuzzy Hash: 90F092706543029FEF342B70AD4A7293F94BF80BC7F208C25F401C91F5EB608681DA02
                                                    APIs
                                                    • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                    • RtlFreeHeap.NTDLL(00B80000,00000000,00000000), ref: 10027C80
                                                      • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: FreeHandleHeapModuleRead
                                                    • String ID:
                                                    • API String ID: 627478288-0
                                                    • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                    • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                    • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                    • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F6EC
                                                      • Part of subcall function 00536404: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 00536441
                                                      • Part of subcall function 00536404: EnterCriticalSection.KERNEL32(?,?,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 0053645C
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                    • String ID:
                                                    • API String ID: 1616793339-0
                                                    • Opcode ID: 07ed0954b32abc0448bb45259bccae278de14bf3fca98205a1815d222d60e768
                                                    • Instruction ID: 305235d5c03fdd056c23329a9631b5a2131395e1c4e749564b40aeab5d033725
                                                    • Opcode Fuzzy Hash: 07ed0954b32abc0448bb45259bccae278de14bf3fca98205a1815d222d60e768
                                                    • Instruction Fuzzy Hash: A221E572A00226ABDB20DB64FD46B9DBB74FF01B64F148235F410EB6E0C774B8418B94
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074), ref: 0052F5B2
                                                      • Part of subcall function 00536404: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 00536441
                                                      • Part of subcall function 00536404: EnterCriticalSection.KERNEL32(?,?,?,0053051C,00000009,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 0053645C
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterFreeHeapInitialize
                                                    • String ID:
                                                    • API String ID: 641406236-0
                                                    • Opcode ID: 2d4f46c75ae90a4aacd3b987706eb7c7185c855123ba77a37b62cfb14d749cad
                                                    • Instruction ID: 460a9c6898f188cd0c45a8af5fa3afcf83775dcb23062754fb9cb7c28b9ee8a2
                                                    • Opcode Fuzzy Hash: 2d4f46c75ae90a4aacd3b987706eb7c7185c855123ba77a37b62cfb14d749cad
                                                    • Instruction Fuzzy Hash: D42186B2901619ABDF259F54FC46B9EBF78FF05721F144139F410A11C1DB349A41CBA1
                                                    APIs
                                                    • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                    • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                    • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                    • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                    APIs
                                                    • LoadStringA.USER32(?,?,?,?), ref: 00545788
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: LoadString
                                                    • String ID:
                                                    • API String ID: 2948472770-0
                                                    • Opcode ID: c1b1d911e08022ae39e4ef26d74cdd36d3da38d948a58a4fd60697d53b6af94b
                                                    • Instruction ID: 316f36bd3042288640475e4a47daf85dc0d20d51f61549422664542fc3b58111
                                                    • Opcode Fuzzy Hash: c1b1d911e08022ae39e4ef26d74cdd36d3da38d948a58a4fd60697d53b6af94b
                                                    • Instruction Fuzzy Hash: A4D0A7721483629BC711DF508808CCFBFA8FF55315B040C0DF88447112D320C404CB61
                                                    APIs
                                                    • ShowWindow.USER32(?,?,004C0C1C,00000000), ref: 00544268
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                                                    • Instruction ID: 65f01fd27c374b06f8fb20ac46830e62d759b84c53379d1c0a00d9b395d2d6fb
                                                    • Opcode Fuzzy Hash: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                                                    • Instruction Fuzzy Hash: 2CD0C935308200EFCF458FA0DA48B5ABBB2BF94709F209968F5468A169D732DC52FF01
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                    • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                    • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                    • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                    APIs
                                                    • IsIconic.USER32(?), ref: 004CC59C
                                                    • IsZoomed.USER32(?), ref: 004CC5AA
                                                    • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CC5D4
                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CC5E7
                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CC5F5
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004CC62B
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CC641
                                                    • IsWindow.USER32(?), ref: 004CC66E
                                                    • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC67B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                                                    • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                                                    • API String ID: 447426925-661446951
                                                    • Opcode ID: e3c9081808f3a6c06a94af234ffa932566e37fd4afcceb11e6dd3c0bc71baef1
                                                    • Instruction ID: 0015e01cb62ea38e8a775510f96baccfee101a7d8a3b07d4d0453bf61e3b1b4e
                                                    • Opcode Fuzzy Hash: e3c9081808f3a6c06a94af234ffa932566e37fd4afcceb11e6dd3c0bc71baef1
                                                    • Instruction Fuzzy Hash: 53318075740302AFDB609F65CC99F2B77A8EF94B01F00451DFA15A7290EBB8EC098B65
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 004C51C5
                                                    • IsWindow.USER32(000204CA), ref: 004C51E1
                                                    • SendMessageA.USER32(000204CA,000083E7,?,00000000), ref: 004C51FA
                                                    • ExitProcess.KERNEL32 ref: 004C520F
                                                    • FreeLibrary.KERNEL32(?), ref: 004C52F3
                                                    • FreeLibrary.KERNEL32 ref: 004C5347
                                                    • DestroyIcon.USER32(00000000), ref: 004C5397
                                                    • DestroyIcon.USER32(00000000), ref: 004C53AE
                                                    • IsWindow.USER32(000204CA), ref: 004C53C5
                                                    • DestroyIcon.USER32(?,00000001,00000000,000000FF), ref: 004C5474
                                                    • WSACleanup.WS2_32 ref: 004C54BF
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
                                                    • String ID:
                                                    • API String ID: 3816745216-0
                                                    • Opcode ID: f0d9a70cdff0468791dde31c942f17e7789855842212ddbf8e306ee36dae3f7d
                                                    • Instruction ID: f15aa76c9b86a7e4cc96f9be315a982b954b6d3f2b126e6e67abce3de9a3b786
                                                    • Opcode Fuzzy Hash: f0d9a70cdff0468791dde31c942f17e7789855842212ddbf8e306ee36dae3f7d
                                                    • Instruction Fuzzy Hash: 1BB1AB74200B029BC764DF65C8D5FABB7E4BF88305F40452EE99A87391DB34B981CB58
                                                    APIs
                                                    • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: FileUnmapView
                                                    • String ID:
                                                    • API String ID: 2564024751-0
                                                    • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                    • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                    • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                    • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 1001A976
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$Release
                                                    • String ID:
                                                    • API String ID: 3581861777-0
                                                    • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                    • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                    • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                    • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                    APIs
                                                    • GetWindow.USER32(?,00000005), ref: 1001A773
                                                    • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                    • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Window$ProcessThreadVisible
                                                    • String ID:
                                                    • API String ID: 569392824-0
                                                    • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                    • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                    • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                    • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                    APIs
                                                    • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                                                    • NtClose.NTDLL(?), ref: 100141D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CloseMutexRelease
                                                    • String ID: `+gw
                                                    • API String ID: 2985832019-3399981281
                                                    • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                    • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                                                    • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                    • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                                                    APIs
                                                    • GetFocus.USER32 ref: 004C419F
                                                    • GetWindowRect.USER32(?,?), ref: 004C41F6
                                                    • GetParent.USER32(?), ref: 004C4206
                                                    • GetParent.USER32(?), ref: 004C4239
                                                    • GlobalSize.KERNEL32(00000000), ref: 004C4283
                                                    • GlobalLock.KERNEL32(00000000), ref: 004C428B
                                                    • IsWindow.USER32(?), ref: 004C42A4
                                                    • GetTopWindow.USER32(?), ref: 004C42E1
                                                    • GetWindow.USER32(00000000,00000002), ref: 004C42FA
                                                    • SetParent.USER32(?,?), ref: 004C4326
                                                    • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C4371
                                                    • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C4380
                                                    • GetParent.USER32(?), ref: 004C4393
                                                    • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C43AC
                                                    • GetWindowLongA.USER32(?,000000F0), ref: 004C43B4
                                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C43E4
                                                    • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C43F2
                                                    • IsWindow.USER32(?), ref: 004C443E
                                                    • GetFocus.USER32 ref: 004C4448
                                                    • SetFocus.USER32(?,00000000), ref: 004C4460
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004C446B
                                                    • GlobalFree.KERNEL32(00000000), ref: 004C4472
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
                                                    • String ID:
                                                    • API String ID: 300820980-0
                                                    • Opcode ID: 46b89426181f45a75755c81c99bb8c500613f3d8c64b140c0b6aaa8104dafc62
                                                    • Instruction ID: eee55fcfe739283037b7b4a46e7c6d5d14d25edaadbf54a0075943387bb208a0
                                                    • Opcode Fuzzy Hash: 46b89426181f45a75755c81c99bb8c500613f3d8c64b140c0b6aaa8104dafc62
                                                    • Instruction Fuzzy Hash: D9A16975204301AFD764EF65CDA9F6BB7E8BBC8700F104A1DFA4187291DB78E8058B69
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(?,00000001,?,00000001,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C4E74
                                                    • LoadLibraryA.KERNEL32(?,00000001,00000000,00000001,?,?,007D7D3C,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C4EB1
                                                    • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 004C4EE7
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C4EF2
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C4F00
                                                    • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004C500D
                                                    • RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004C5042
                                                    • CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,007F7E08,00000000), ref: 004C5107
                                                    • UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 004C5123
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Library$LoadType$FreeRegister$AddressFromProcString
                                                    • String ID: DllRegisterServer$DllUnregisterServer
                                                    • API String ID: 2476498075-2931954178
                                                    • Opcode ID: 6adeebc547e412af5974387c37d682d3867ff6c3c98371791d9c2174c9422a7a
                                                    • Instruction ID: f879303977d6079e9c16ba7d4398c68262d7366ee29809511d77d6ab517eca64
                                                    • Opcode Fuzzy Hash: 6adeebc547e412af5974387c37d682d3867ff6c3c98371791d9c2174c9422a7a
                                                    • Instruction Fuzzy Hash: 71B1D47590020A9BDB54EFA4D855FEEB7B8FF84314F14452EF815A7281DB38AA05C7A0
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                    • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                    • wsprintfA.USER32 ref: 10029676
                                                    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                      • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                    • atoi.MSVCRT(?), ref: 100296CB
                                                    • strchr.MSVCRT ref: 10029703
                                                    • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                    • wsprintfA.USER32 ref: 10029739
                                                    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                    • String ID: DLL ERROR
                                                    • API String ID: 3187504500-4092134112
                                                    • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                    • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                    • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                    • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                    APIs
                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                    • strrchr.MSVCRT ref: 10028EC7
                                                    • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                    • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                    • String ID:
                                                    • API String ID: 1380196384-0
                                                    • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                    • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                    • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                    • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00533F02,?,Microsoft Visual C++ Runtime Library,00012010,?,007C811C,?,007C816C,?,?,?,Runtime Error!Program: ), ref: 0053B597
                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053B5AF
                                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053B5C0
                                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053B5CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                    • API String ID: 2238633743-4044615076
                                                    • Opcode ID: 622007e229e6de29b49272a81b016c1c15e1e5f609875a5fbb962a915c1716da
                                                    • Instruction ID: 071fcfafa0a033612b982c627b67dd04f74153fa4fababe1b18bf703a0cb7a2d
                                                    • Opcode Fuzzy Hash: 622007e229e6de29b49272a81b016c1c15e1e5f609875a5fbb962a915c1716da
                                                    • Instruction Fuzzy Hash: 40018F71708312AFAB609FB69CC1E2B7FE8BF98781B44042DB600C2121EF74C8569B61
                                                    APIs
                                                    • LCMapStringW.KERNEL32(00000000,00000100,007C83AC,00000001,00000000,00000000,774CE860,0082AD44,?,?,?,0052FA7D,?,?,?,00000000), ref: 00537346
                                                    • LCMapStringA.KERNEL32(00000000,00000100,007C83A8,00000001,00000000,00000000,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 00537362
                                                    • LCMapStringA.KERNEL32(?,?,?,0052FA7D,?,?,774CE860,0082AD44,?,?,?,0052FA7D,?,?,?,00000000), ref: 005373AB
                                                    • MultiByteToWideChar.KERNEL32(?,0082AD45,?,0052FA7D,00000000,00000000,774CE860,0082AD44,?,?,?,0052FA7D,?,?,?,00000000), ref: 005373E3
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052FA7D,?,00000000,?,?,0052FA7D,?), ref: 0053743B
                                                    • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052FA7D,?), ref: 00537451
                                                    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052FA7D,?), ref: 00537484
                                                    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052FA7D,?), ref: 005374EC
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: String$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 352835431-0
                                                    • Opcode ID: 2aa0bd5e8976dd3b9e80f14c98e7c3505457ed7652ed3d07ccf2b721b36bc0d1
                                                    • Instruction ID: 62fae1f15539beb132fa46e7204c2e738844253d874c220e184594050162425a
                                                    • Opcode Fuzzy Hash: 2aa0bd5e8976dd3b9e80f14c98e7c3505457ed7652ed3d07ccf2b721b36bc0d1
                                                    • Instruction Fuzzy Hash: A15157B2904249EBCF328F94DC45EAE7FB5FB49B50F208519F914A21A0D3329D21EB61
                                                    APIs
                                                    • CreatePopupMenu.USER32 ref: 004D181E
                                                    • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1981
                                                    • AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D19B9
                                                    • ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D19D7
                                                    • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1A35
                                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1A5A
                                                    • AppendMenuA.USER32(?,?,?,?), ref: 004D1AA2
                                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1AC7
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Menu$Append$Modify$CreatePopup
                                                    • String ID:
                                                    • API String ID: 3846898120-0
                                                    • Opcode ID: 13f1f039540170faaef556ca445c7dd93ff42fe2ca284cba7cd11bebd8839f9a
                                                    • Instruction ID: 111db03df7f68586d0e0b397c169245ffb3322b08ad4745d6c47b00accc605c8
                                                    • Opcode Fuzzy Hash: 13f1f039540170faaef556ca445c7dd93ff42fe2ca284cba7cd11bebd8839f9a
                                                    • Instruction Fuzzy Hash: C5D199B1A043019BC714DF18C8A0A6BBBE4FF89714F04492EFD8597361E738AC55CBA6
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00533E4B
                                                    • GetStdHandle.KERNEL32(000000F4,007C811C,00000000,00000000,00000000,?), ref: 00533F21
                                                    • WriteFile.KERNEL32(00000000), ref: 00533F28
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: File$HandleModuleNameWrite
                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                    • API String ID: 3784150691-4022980321
                                                    • Opcode ID: 879655f65fdb79e975c8d4631d7da7743f513fcb6bbfcc6986f75a5ef71bfadf
                                                    • Instruction ID: e27705f62a4417797f3c9bc5d2066a6bc54f24861cbd5154891db5b2c6f3cbe5
                                                    • Opcode Fuzzy Hash: 879655f65fdb79e975c8d4631d7da7743f513fcb6bbfcc6986f75a5ef71bfadf
                                                    • Instruction Fuzzy Hash: 5231EBB2A002196FDF20D7A0CC4AF9A7BBDFF89344F54056EF545D6090EA74EA41CB52
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %I64d$%lf
                                                    • API String ID: 0-1545097854
                                                    • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                    • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                    • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                    • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052DD5E), ref: 00533832
                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052DD5E), ref: 00533846
                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052DD5E), ref: 00533872
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052DD5E), ref: 005338AA
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052DD5E), ref: 005338CC
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052DD5E), ref: 005338E5
                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052DD5E), ref: 005338F8
                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00533936
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                    • String ID:
                                                    • API String ID: 1823725401-0
                                                    • Opcode ID: f19ae5f9a3fbe3512efa9db327dc7646042d9936f9feb6be10b92de45f0a7045
                                                    • Instruction ID: c403c02f281551305f95d4b8597e05b9ddc65d74ac2634dd4fdfd899de641ce3
                                                    • Opcode Fuzzy Hash: f19ae5f9a3fbe3512efa9db327dc7646042d9936f9feb6be10b92de45f0a7045
                                                    • Instruction Fuzzy Hash: DB3108B3505255AFDB307F74AC8893BFF9CFB45758F120839F555C3140E6618E8492A1
                                                    APIs
                                                    • IsWindow.USER32(?), ref: 004C093D
                                                    • GetParent.USER32(?), ref: 004C094F
                                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C0977
                                                    • GetWindowRect.USER32(?,?), ref: 004C0A01
                                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0A24
                                                    • GetWindowRect.USER32(?,?), ref: 004C0BEC
                                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0C0D
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Rect$Window$Invalidate$MessageParentSend
                                                    • String ID:
                                                    • API String ID: 236041146-0
                                                    • Opcode ID: 1905557a3942eebccb37f757c4b203deab9c8b6e52ba5a1d26c9cb08863c26b6
                                                    • Instruction ID: 2f00159bdabb5332b51ba01a9afd354a7c3584283ff38d8a2ea3e0d8566b119f
                                                    • Opcode Fuzzy Hash: 1905557a3942eebccb37f757c4b203deab9c8b6e52ba5a1d26c9cb08863c26b6
                                                    • Instruction Fuzzy Hash: 60913539640305DBC764EF24C855F6B77E8AF84348F040A1DFA059B392EB38ED518B99
                                                    APIs
                                                    • GetStringTypeW.KERNEL32(00000001,007C83AC,00000001,?,774CE860,0082AD44,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 0053AB17
                                                    • GetStringTypeA.KERNEL32(00000000,00000001,007C83A8,00000001,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 0053AB31
                                                    • GetStringTypeA.KERNEL32(?,?,?,?,0052FA7D,774CE860,0082AD44,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 0053AB65
                                                    • MultiByteToWideChar.KERNEL32(?,0082AD45,?,?,00000000,00000000,774CE860,0082AD44,?,?,0052FA7D,?,?,?,00000000,00000001), ref: 0053AB9D
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052FA7D,?), ref: 0053ABF3
                                                    • GetStringTypeW.KERNEL32(?,?,00000000,0052FA7D,?,?,?,?,?,?,0052FA7D,?), ref: 0053AC05
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: StringType$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 3852931651-0
                                                    • Opcode ID: 6d6b4a2ce7f169295a1a08b7535c16b051d85e1e5cac94b4d84f7a2a99d6ca35
                                                    • Instruction ID: 996d888e664b4ac94350e061c3d5dd9027f8e9b676f115ff5715824726052586
                                                    • Opcode Fuzzy Hash: 6d6b4a2ce7f169295a1a08b7535c16b051d85e1e5cac94b4d84f7a2a99d6ca35
                                                    • Instruction Fuzzy Hash: 55418772600259AFCF218F94DC95EAFBFB9FB08750F104929F912E6190D3348D55DBA2
                                                    APIs
                                                    • TlsGetValue.KERNEL32(00826A84,00826A74,00000000,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549B5A
                                                    • EnterCriticalSection.KERNEL32(00826AA0,00000010,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549BA9
                                                    • LeaveCriticalSection.KERNEL32(00826AA0,00000000,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549BBC
                                                    • LocalAlloc.KERNEL32(00000000,00000004,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549BD2
                                                    • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00826A84,?,00549DB7,00826A74,00000000,?,00000000,005497CE,005490BD,005497EA,00544BF1,00545E96), ref: 00549BE4
                                                    • TlsSetValue.KERNEL32(00826A84,00000000), ref: 00549C20
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                    • String ID:
                                                    • API String ID: 4117633390-0
                                                    • Opcode ID: 754bca5f0696e3d18161de676f4919457c2e56cbba83f33707a24c51e94439a4
                                                    • Instruction ID: ba22b42dcb3377453c38c0ffd79f2f0f1838f6b0e2b836916128efd038229513
                                                    • Opcode Fuzzy Hash: 754bca5f0696e3d18161de676f4919457c2e56cbba83f33707a24c51e94439a4
                                                    • Instruction Fuzzy Hash: 65318E75100605EFD724CF29D89AFABBBF8FB85365F008519E416C7690DB70E909CB61
                                                    APIs
                                                    • GetVersionExA.KERNEL32 ref: 00533C1F
                                                    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00533C54
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00533CB4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentFileModuleNameVariableVersion
                                                    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                    • API String ID: 1385375860-4131005785
                                                    • Opcode ID: 9f95769abd9352f71d3c7db14b83ca2b89205ad466b3bad723754e2c654ccc19
                                                    • Instruction ID: 278d88a88197a603e981a8106d5c9fd9624103140aa5df7cb7abcf2f5b99d593
                                                    • Opcode Fuzzy Hash: 9f95769abd9352f71d3c7db14b83ca2b89205ad466b3bad723754e2c654ccc19
                                                    • Instruction Fuzzy Hash: E5314D7194539C6EEB358770AC55BDD3F68BF02740F2418E9E145E9052E6308FD5CB10
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A6A4
                                                      • Part of subcall function 0054A790: lstrlenA.KERNEL32(00000104,00000000,?,0054A6D4), ref: 0054A7C7
                                                    • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A745
                                                    • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A772
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                    • String ID: .HLP$.INI
                                                    • API String ID: 2421895198-3011182340
                                                    • Opcode ID: 934e9710f68d2f6034acb6a46ef242405537d4f67aa3d758049f00ed67a0a07e
                                                    • Instruction ID: 2d6db66258d15209581f3b0e9e50ec6436576fd4dcd740784245c849db600835
                                                    • Opcode Fuzzy Hash: 934e9710f68d2f6034acb6a46ef242405537d4f67aa3d758049f00ed67a0a07e
                                                    • Instruction Fuzzy Hash: FB3161B5804719AFDB21DB71D889BCABBFCFB04314F10896AE19AD3151DB70A984CF50
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2aa2cf0fddded433b96ca4bf7f29a059dfc3f445e8cf56c4c6c3a4891dd444a8
                                                    • Instruction ID: 0dfdc10983a6c348cd8601549634f0a7af1ac2cfccf118618dca00eacfac68db
                                                    • Opcode Fuzzy Hash: 2aa2cf0fddded433b96ca4bf7f29a059dfc3f445e8cf56c4c6c3a4891dd444a8
                                                    • Instruction Fuzzy Hash: 9AC1D1B55046029FC354DF24C881E6FB7E8EF85348F40492EF84697311E738F9568BAA
                                                    APIs
                                                    • GetStartupInfoA.KERNEL32(?), ref: 005339A7
                                                    • GetFileType.KERNEL32(?,?,00000000), ref: 00533A52
                                                    • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00533AB5
                                                    • GetFileType.KERNEL32(00000000,?,00000000), ref: 00533AC3
                                                    • SetHandleCount.KERNEL32 ref: 00533AFA
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: FileHandleType$CountInfoStartup
                                                    • String ID:
                                                    • API String ID: 1710529072-0
                                                    • Opcode ID: 5afd03eaf5180e3da9c64babe44a70311b61fd813ac5bf2d202dd11df9032c78
                                                    • Instruction ID: 0ebe18ed94dea9f85b8a2fb03602b80aaa53bb3286cc19875e65a2f4274f6043
                                                    • Opcode Fuzzy Hash: 5afd03eaf5180e3da9c64babe44a70311b61fd813ac5bf2d202dd11df9032c78
                                                    • Instruction Fuzzy Hash: 755100326042418FC724CBA8D898B297FE0BF11328F29876DD5E2CB2E1D731DA4AD751
                                                    APIs
                                                    • midiStreamStop.WINMM(?,00000000,-000001A5,00000000,004D668A,00000000,007F7E08,004CC866), ref: 004D6B55
                                                    • midiOutReset.WINMM(?), ref: 004D6B73
                                                    • WaitForSingleObject.KERNEL32(?,000007D0), ref: 004D6B96
                                                    • midiStreamClose.WINMM(?), ref: 004D6BD3
                                                    • midiStreamClose.WINMM(?), ref: 004D6C07
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: midi$Stream$Close$ObjectResetSingleStopWait
                                                    • String ID:
                                                    • API String ID: 3142198506-0
                                                    • Opcode ID: 3c4d720d9cfef02ab93a990280a3187c80fd643b3b50966c0ec4732648aa1d48
                                                    • Instruction ID: 494dbcfcea3e29fcd54aa18dd12a2cf7bcef8ec0c9493c69dceec5b57c263412
                                                    • Opcode Fuzzy Hash: 3c4d720d9cfef02ab93a990280a3187c80fd643b3b50966c0ec4732648aa1d48
                                                    • Instruction Fuzzy Hash: FF314EB27107108FCB309F65D4A855BB7E6FB94705B154A2FE186C7740C778E8458B98
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Menu$Destroy$AcceleratorTableWindow
                                                    • String ID:
                                                    • API String ID: 1240299919-0
                                                    • Opcode ID: a453dbb0a03fb2ba0bf42701061a99a4b7668b13f71f9c2a0d727f225ddbe076
                                                    • Instruction ID: eb9900aa392927543486c1a4294f30ab9c6eebde899933ad1c642b2fcc2b6803
                                                    • Opcode Fuzzy Hash: a453dbb0a03fb2ba0bf42701061a99a4b7668b13f71f9c2a0d727f225ddbe076
                                                    • Instruction Fuzzy Hash: 1631B575600302AFC760EF65DC55E6B77A8EF84358F02491EBD0587252EA38E819CBB5
                                                    APIs
                                                    • GetLastError.KERNEL32(00000103,7FFFFFFF,00530072,00532987,00000000,?,?,00000000,00000001), ref: 00533B6E
                                                    • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00533B7C
                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533BC8
                                                      • Part of subcall function 00530466: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00533B91,00000001,00000074,?,?,00000000,00000001), ref: 0053055C
                                                    • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533BA0
                                                    • GetCurrentThreadId.KERNEL32 ref: 00533BB1
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                    • String ID:
                                                    • API String ID: 2020098873-0
                                                    • Opcode ID: 1b3246f9203ee21eaea1139859eadd0f918b7d58f80477f6ee76527ff33b0f32
                                                    • Instruction ID: 1441587e76b6e3f483d6257c627f49a4bb1556efc0d1855809526b0c0a7c943b
                                                    • Opcode Fuzzy Hash: 1b3246f9203ee21eaea1139859eadd0f918b7d58f80477f6ee76527ff33b0f32
                                                    • Instruction Fuzzy Hash: BCF024325017226FDB712BB4BC2EA2A7F24FF81772F204214F985965E0CF208945E6A1
                                                    APIs
                                                    • wsprintfA.USER32 ref: 10027B78
                                                    • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: Messagewsprintf
                                                    • String ID: error$program internal error number is %d. %s
                                                    • API String ID: 300413163-3752934751
                                                    • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                    • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                    • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                    • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                    APIs
                                                    • HeapAlloc.KERNEL32(00000000,00002020,007E8DD0,007E8DD0,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000), ref: 0053817D
                                                    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000), ref: 005381A1
                                                    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000), ref: 005381BB
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000,?), ref: 0053827C
                                                    • HeapFree.KERNEL32(00000000,00000000,?,?,00538628,00000000,00000010,00000000,00000009,00000009,?,0052F6B1,00000010,00000000,?,00000000), ref: 00538293
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual$FreeHeap
                                                    • String ID:
                                                    • API String ID: 714016831-0
                                                    • Opcode ID: 3ce96c963973c6c491e1c37a7f8fd04290ce82f03aff29db640c4dd65cd629f2
                                                    • Instruction ID: 06c1d5da3c976ec4e0626ab63f977aa8b69d3ccbb528f452e19806e75a43e774
                                                    • Opcode Fuzzy Hash: 3ce96c963973c6c491e1c37a7f8fd04290ce82f03aff29db640c4dd65cd629f2
                                                    • Instruction Fuzzy Hash: F13102B5601B059BD375CF24EC44B32BBA4FB98755F108A39F1599B2D0EF74A804CB49
                                                    APIs
                                                    • midiStreamOpen.WINMM(-00000189,-00000161,00000001,004D7AC0,-000001A5,00030000,?,-000001A5,?,00000000), ref: 004D74AB
                                                    • midiStreamProperty.WINMM ref: 004D7592
                                                    • midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,-000001A5,?,00000000), ref: 004D76E0
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: midi$Stream$HeaderOpenPrepareProperty
                                                    • String ID:
                                                    • API String ID: 2061886437-0
                                                    • Opcode ID: de51f04f3560eb73535e38426b5b19a00dfeedf827f36c0325c63de2bc599217
                                                    • Instruction ID: 3c51bf6f4c941761f64e271259f7b3a9cfe07da2815d5d1e2edd173bce017210
                                                    • Opcode Fuzzy Hash: de51f04f3560eb73535e38426b5b19a00dfeedf827f36c0325c63de2bc599217
                                                    • Instruction Fuzzy Hash: 13A16C716006069FD724DF28D8A0BAAB7F6FB84304F50892EE686C7751EB35F919CB41
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 004C2BB4
                                                    • GetParent.USER32(00000000), ref: 004C2C04
                                                    • IsWindow.USER32(?), ref: 004C2C24
                                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C2C9F
                                                      • Part of subcall function 0054425A: ShowWindow.USER32(?,?,004C0C1C,00000000), ref: 00544268
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Window$ParentShow
                                                    • String ID:
                                                    • API String ID: 2052805569-0
                                                    • Opcode ID: 4d912f72f0b78821a8b226315d8a2e75bb1a573efdeaf9a9c98d1435f7f1b5b6
                                                    • Instruction ID: 10c51ffc0da54946e3fd3f4599a63a72d769e843af6fe3df358bb9ff77c66004
                                                    • Opcode Fuzzy Hash: 4d912f72f0b78821a8b226315d8a2e75bb1a573efdeaf9a9c98d1435f7f1b5b6
                                                    • Instruction Fuzzy Hash: B341CF3A640301ABD3A0DF648D81FAB73A4AF84744F04092EFD059B381D7B8ED198BA5
                                                    APIs
                                                    • malloc.MSVCRT ref: 10029FB3
                                                    • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                    • free.MSVCRT ref: 10029FF6
                                                    • free.MSVCRT ref: 1002A014
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: free$Stringmalloc
                                                    • String ID:
                                                    • API String ID: 3576809655-0
                                                    • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                    • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                    • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                    • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                    APIs
                                                    • GetVersion.KERNEL32 ref: 0052DCEE
                                                      • Part of subcall function 00533D48: HeapCreate.KERNEL32(00000000,00001000,00000000,0052DD26,00000001), ref: 00533D59
                                                      • Part of subcall function 00533D48: HeapDestroy.KERNEL32 ref: 00533D98
                                                    • GetCommandLineA.KERNEL32 ref: 0052DD4E
                                                    • GetStartupInfoA.KERNEL32(?), ref: 0052DD79
                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052DD9C
                                                      • Part of subcall function 0052DDF5: ExitProcess.KERNEL32 ref: 0052DE12
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                    • String ID:
                                                    • API String ID: 2057626494-0
                                                    • Opcode ID: 1475535c73c022e74915814cf63dc9b808203f217e1999df7d1b595b78170068
                                                    • Instruction ID: ee3187928c1648431fd964acb6c06c415bf5fcb7039583af7cbc81ed443b52c9
                                                    • Opcode Fuzzy Hash: 1475535c73c022e74915814cf63dc9b808203f217e1999df7d1b595b78170068
                                                    • Instruction Fuzzy Hash: 0821D3B5C00B16AFDB18AFB4EC5AA6E7FB8FF85710F104519F4019A2E1EB748940CB60
                                                    APIs
                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                    • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                    • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2741126480.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_10000000_211.jbxd
                                                    Similarity
                                                    • API ID: CloseFileHandle$CreateWrite
                                                    • String ID:
                                                    • API String ID: 3602564925-0
                                                    • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                    • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                    • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                    • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                    APIs
                                                    • GetCPInfo.KERNEL32(?,00000000), ref: 00532ED3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID: $
                                                    • API String ID: 1807457897-3032137957
                                                    • Opcode ID: 2e95727dd0e528df017d152471ea42e044b627637fcf8a6e00a49f2ce7b6f4bb
                                                    • Instruction ID: 9e1ab9eb464e599e61d80dfa270006c205e372ca0238d1b656ec671ccbb856e8
                                                    • Opcode Fuzzy Hash: 2e95727dd0e528df017d152471ea42e044b627637fcf8a6e00a49f2ce7b6f4bb
                                                    • Instruction Fuzzy Hash: 5A4146711042981FDB2A8764DD5ABFB3FA9BF05700F1404E4E689CB1A3C2754A49DBA3
                                                    APIs
                                                    • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00537A82,00000000,00000000,00000000,0052F653,00000000,00000000,?,00000000,00000000,00000000), ref: 00537CE2
                                                    • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00537A82,00000000,00000000,00000000,0052F653,00000000,00000000,?,00000000,00000000,00000000), ref: 00537D16
                                                    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00537D30
                                                    • HeapFree.KERNEL32(00000000,?), ref: 00537D47
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap$FreeVirtual
                                                    • String ID:
                                                    • API String ID: 3499195154-0
                                                    • Opcode ID: 68e480b001c8b44312a353283861990205e347b7861986f038a0b67136470cf7
                                                    • Instruction ID: 66d0b49e49624abc5b9273e5e116d619d7244cec2c55ad6d1650bcb7f13317dd
                                                    • Opcode Fuzzy Hash: 68e480b001c8b44312a353283861990205e347b7861986f038a0b67136470cf7
                                                    • Instruction Fuzzy Hash: 92118C702403449FC7358F18EC859267BB6FF84722B108A19F152D69B0C772A847DF01
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00826C38,?,00000000,?,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA), ref: 0054AAC7
                                                    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA), ref: 0054AAD9
                                                    • LeaveCriticalSection.KERNEL32(00826C38,?,00000000,?,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA), ref: 0054AAE2
                                                    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA,00544BF1), ref: 0054AAF4
                                                      • Part of subcall function 0054A9F9: GetVersion.KERNEL32(?,0054AA9C,?,00549DFD,00000010,?,00000000,?,?,?,005497E4,00549847,005490BD,005497EA,00544BF1,00545E96), ref: 0054AA0C
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                    • String ID:
                                                    • API String ID: 1193629340-0
                                                    • Opcode ID: 37008a4ce4adb6a59c32bdeff23902bfbd5156891adffd5d6724f40e3bce946c
                                                    • Instruction ID: 354e64508f78fadda31e78776eff901bcd455cec5889c7a137d548fcf142efeb
                                                    • Opcode Fuzzy Hash: 37008a4ce4adb6a59c32bdeff23902bfbd5156891adffd5d6724f40e3bce946c
                                                    • Instruction Fuzzy Hash: 56F0C23554131BDFCB20EF95EC98996B76CFB3031BB00443AE241C3061E731A46ACAA1
                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(?,00533B0B,?,0052DD38), ref: 005363E8
                                                    • InitializeCriticalSection.KERNEL32(?,00533B0B,?,0052DD38), ref: 005363F0
                                                    • InitializeCriticalSection.KERNEL32(?,00533B0B,?,0052DD38), ref: 005363F8
                                                    • InitializeCriticalSection.KERNEL32(?,00533B0B,?,0052DD38), ref: 00536400
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2737559140.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000005.00000002.2737530352.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000006B8000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737671725.00000000007B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737934515.00000000007D4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737959909.00000000007D6000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2737980567.00000000007D8000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738002047.00000000007E1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738024230.00000000007E2000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738046125.00000000007E7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738068178.00000000007EA000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007EB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.00000000007F7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000805000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.0000000000825000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738093836.000000000082A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.000000000082D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000834000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000005.00000002.2738199579.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_400000_211.jbxd
                                                    Similarity
                                                    • API ID: CriticalInitializeSection
                                                    • String ID:
                                                    • API String ID: 32694325-0
                                                    • Opcode ID: 275d700e53cd2a23dd95af7c94858fad77d263ba473a30024a1a2df793c9ebad
                                                    • Instruction ID: 528ba9adfb9f6fb68ae23038595a66ad50901980f4aff4f9771c8355d6a134df
                                                    • Opcode Fuzzy Hash: 275d700e53cd2a23dd95af7c94858fad77d263ba473a30024a1a2df793c9ebad
                                                    • Instruction Fuzzy Hash: 2BC002B19031B4DACAD12B55FF49C463F66EB0C2653018067A10C5D4708E251C50EFD6