Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
213.exe

Overview

General Information

Sample name:213.exe
Analysis ID:1559172
MD5:92b87c6d54d69691eaa9d2d3021b9cf6
SHA1:177fb16e46c31239d6817dfebe438456801f6026
SHA256:145f0792808529be8c426d0537641741881c2f997f9af96ac52d132154721900
Tags:exeopendiruser-Joker
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

  • System is w10x64
  • 213.exe (PID: 8064 cmdline: "C:\Users\user\Desktop\213.exe" MD5: 92B87C6D54D69691EAA9D2D3021B9CF6)
  • 213.exe (PID: 888 cmdline: "C:\Users\user\Desktop\213.exe" MD5: 92B87C6D54D69691EAA9D2D3021B9CF6)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: 213.exe PID: 8064JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: 213.exe PID: 888JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\213.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\213.exe, ProcessId: 8064, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\Users\user\Desktop\QQWER.dllReversingLabs: Detection: 73%
      Source: 213.exeReversingLabs: Detection: 47%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.2% probability
      Source: C:\Users\user\Desktop\QQWER.dllJoe Sandbox ML: detected
      Source: 213.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\213.exeUnpacked PE file: 1.2.213.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\213.exeUnpacked PE file: 4.2.213.exe.10000000.2.unpack
      Source: 213.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Binary string: devco n.pdbo source: 213.exe
      Source: Binary string: wntdll.pdbUGP source: 213.exe, 00000001.00000002.2649542491.0000000002D42000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1368992017.0000000002B93000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000003.1531909500.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2649235913.0000000002C1E000.00000040.00000020.00020000.00000000.sdmp, 61d161.tmp.4.dr, 6191a9.tmp.1.dr
      Source: Binary string: wntdll.pdb source: 213.exe, 00000001.00000002.2649542491.0000000002D42000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1368992017.0000000002B93000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000003.1531909500.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2649235913.0000000002C1E000.00000040.00000020.00020000.00000000.sdmp, 61d161.tmp.4.dr, 6191a9.tmp.1.dr
      Source: Binary string: DrvInDM U.pdbe source: 213.exe
      Source: Binary string: wuser32.pdb source: 213.exe, 00000001.00000002.2649779035.0000000002EF3000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1369730161.0000000002B94000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000003.1532972259.0000000002A67000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2649482812.0000000002DD1000.00000040.00000020.00020000.00000000.sdmp, 619216.tmp.1.dr, 61d1bf.tmp.4.dr
      Source: Binary string: devc@on.pdb source: 213.exe
      Source: Binary string: wuser32.pdbUGP source: 213.exe, 00000001.00000002.2649779035.0000000002EF3000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1369730161.0000000002B94000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000003.1532972259.0000000002A67000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2649482812.0000000002DD1000.00000040.00000020.00020000.00000000.sdmp, 619216.tmp.1.dr, 61d1bf.tmp.4.dr
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_1000710E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_1000710E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp1_2_1000710E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_1000710E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1001A199
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_10018AD3
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_10018AD3
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_10018EEA
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_100193C2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp1_2_100193C2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_10007FDD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_10018801
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_10017804
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_10011772
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10013C18
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_10011C1A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1001A031
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp1_2_10024C38
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_1001AC51
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_1001AC51
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_1001AC51
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10006051
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10006051
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001385A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_10002461
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_1000F472
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp1_2_1001847E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10022882
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp1_2_10025484
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp1_2_10025484
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_10006495
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10006C96
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_10014096
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_10014096
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_100024AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_100024AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_100024AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_100024AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1000FCB0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_100198CC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp1_2_100188E1
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001A4E7
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1000210D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1000210D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp1_2_1000B90D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10003116
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_10017D41
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_10017D41
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1000FD4D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp1_2_10001D56
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp1_2_10025977
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_10010199
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_1001419C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_1001419C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10008DA3
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp1_2_100111A7
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10007DB8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp1_2_100151BD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp1_2_100151BD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp1_2_100151BD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp1_2_1001D1C4
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_1001D1C4
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp1_2_100259D9
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp1_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp1_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp1_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp1_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp1_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_100189E6
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_1000FDEA
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp1_2_100101FB
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp1_2_10014203
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_1000B61E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp1_2_1001221F
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp1_2_1001221F
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001A236
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_1001363D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001363D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10008E40
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp1_2_10011653
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp1_2_10011653
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10010255
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10010255
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10007E55
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp1_2_10007E55
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp1_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1000FA6F
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10022A80
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10011E89
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1001A6C7
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp1_2_10017ECA
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10010AD6
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10010AD6
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp1_2_10008EDD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_1001BADE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_100246E4
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp1_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp1_2_100236FF
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp1_2_100236FF
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1000FF10
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10008B27
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_1001BB29
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_10015B34
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1000833D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp1_2_10012B40
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_1000634E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1000B353
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_10026356
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp1_2_1001DB5C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_1001DB5C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_10017B68
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_10011772
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp1_2_10024781
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp1_2_10024781
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp1_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp1_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp1_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp1_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp1_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp1_2_1000A7A2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_100137A3
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1000F7AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10008BC4
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10013FC8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_10007BCA
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp1_2_10005FDA
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_100253E7
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp1_2_1000B3F0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_100198CC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1000710E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A199
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10018AD3
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10018AD3
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10018EEA
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_100193C2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_100193C2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10007FDD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10018801
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10017804
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10011772
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10013C18
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10011C1A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A031
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10024C38
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001AC51
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001AC51
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001AC51
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10006051
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10006051
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001385A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10002461
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000F472
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1001847E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10022882
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10025484
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10025484
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_10006495
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10006C96
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10014096
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_10014096
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_100024AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FCB0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001A8BE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100188E1
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001A4E7
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1000210D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1000210D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_1000B90D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10003116
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10017D41
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10017D41
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FD4D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10001D56
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10025977
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10010199
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001419C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001419C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008DA3
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100111A7
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10007DB8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_100151BD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_100151BD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_100151BD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp4_2_1001D1C4
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_1001D1C4
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_100259D9
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_100221E2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_100189E6
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000FDEA
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100101FB
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10014203
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001121A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1000B61E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_1001221F
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp4_2_1001221F
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001A236
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1001363D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001363D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008E40
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10011653
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_10011653
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010255
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010255
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10007E55
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_10007E55
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp4_2_1000C655
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FA6F
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10022A80
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10011E89
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_1002129C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1001A6C7
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp4_2_10017ECA
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010AD6
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10010AD6
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10008EDD
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001BADE
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_100246E4
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1001A6F8
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100236FF
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp4_2_100236FF
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000FF10
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008B27
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1001BB29
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_10015B34
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000833D
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp4_2_10012B40
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp4_2_1000634E
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000B353
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10026356
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp4_2_1001DB5C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_1001DB5C
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10017B68
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_10011772
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp4_2_10024781
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10024781
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp4_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp4_2_1002378A
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp4_2_10014289
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp4_2_1001BFA0
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp4_2_1000A7A2
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_100137A3
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_1000F7AC
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10008BC4
      Source: C:\Users\user\Desktop\213.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp4_2_10013FC8
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:15:20 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:15:35 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: 213.exeString found in binary or memory: http://.httpsset-cookie:;;
      Source: 213.exe, 00000001.00000002.2647752348.0000000000A45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/
      Source: 213.exeString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/
      Source: 213.exe, 00000001.00000002.2647752348.0000000000A4F000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000002.2647752348.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000002.2647752348.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2647341814.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2647341814.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2647341814.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2647341814.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
      Source: 213.exe, 00000001.00000002.2647752348.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt2
      Source: 213.exe, 00000004.00000002.2647341814.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtH
      Source: 213.exeString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
      Source: 213.exe, 00000001.00000002.2647752348.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt(
      Source: 213.exe, 00000004.00000002.2647341814.0000000000B08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt3
      Source: 213.exe, 00000004.00000002.2647341814.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtD:
      Source: 213.exe, 00000001.00000002.2647752348.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtW
      Source: 213.exe, 00000001.00000002.2647752348.0000000000A23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtl
      Source: 213.exe, 00000004.00000003.1611716242.0000000000BAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9Or&8
      Source: 213.exeString found in binary or memory: http://ocsp.t
      Source: 213.exeString found in binary or memory: http://sf.symc
      Source: 213.exeString found in binary or memory: http://ts-ocsp.ws.s
      Source: 213.exeString found in binary or memory: http://ts-ocsp.ws.symantec.
      Source: 213.exeString found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
      Source: 213.exeString found in binary or memory: https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1
      Source: 213.exeString found in binary or memory: https://ww(w.v
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,1_2_1001F2ED
      Source: 213.exe, 00000001.00000002.2647752348.00000000009AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_034dbfd8-5
      Source: Yara matchFile source: Process Memory Space: 213.exe PID: 8064, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 213.exe PID: 888, type: MEMORYSTR
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_10007FDD NtClose,1_2_10007FDD
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_1001419C ReleaseMutex,NtClose,1_2_1001419C
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_1001221F NtClose,1_2_1001221F
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_10007FDD NtClose,4_2_10007FDD
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_1001419C ReleaseMutex,NtClose,4_2_1001419C
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_1001221F NtClose,4_2_1001221F
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_004C60601_2_004C6060
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_004C4B801_2_004C4B80
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_100026281_2_10002628
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_100032EA1_2_100032EA
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_004C60604_2_004C6060
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_004C4B804_2_004C4B80
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_100026284_2_10002628
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_100032EA4_2_100032EA
      Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\QQWER.dll BE7A0A59B36299F40D6AC2FC126ACFD6C8BBFF8C4F8D9D85267DF3E2E1E3AED3
      Source: C:\Users\user\Desktop\213.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess token adjusted: SecurityJump to behavior
      Source: C:\Users\user\Desktop\213.exeCode function: String function: 10029640 appears 130 times
      Source: 6191a9.tmp.1.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 61d161.tmp.4.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 6191a9.tmp.1.drStatic PE information: No import functions for PE file found
      Source: 61d161.tmp.4.drStatic PE information: No import functions for PE file found
      Source: 213.exe, 00000001.00000002.2649542491.0000000002E6F000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 213.exe
      Source: 213.exe, 00000001.00000003.1368992017.0000000002CB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 213.exe
      Source: 213.exe, 00000001.00000003.1369730161.0000000002B94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 213.exe
      Source: 213.exe, 00000001.00000002.2649779035.0000000002F9C000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 213.exe
      Source: 213.exe, 00000004.00000003.1532972259.0000000002A67000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 213.exe
      Source: 213.exe, 00000004.00000002.2649482812.0000000002E7A000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 213.exe
      Source: 213.exe, 00000004.00000002.2649235913.0000000002D4B000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 213.exe
      Source: 213.exe, 00000004.00000003.1531909500.0000000002B8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 213.exe
      Source: 213.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: QQWER.dll.1.drStatic PE information: Section: .rsrc ZLIB complexity 1.0002780183550337
      Source: 6191a9.tmp.1.drBinary string: \Device\IPT[
      Source: classification engineClassification label: mal84.evad.winEXE@2/11@0/1
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_0041CB46 GetDiskFreeSpaceExA,1_2_0041CB46
      Source: C:\Users\user\Desktop\213.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeMutant created: NULL
      Source: C:\Users\user\Desktop\213.exeFile created: C:\Users\user\AppData\Local\Temp\6191a9.tmpJump to behavior
      Source: 213.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\213.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 213.exeReversingLabs: Detection: 47%
      Source: unknownProcess created: C:\Users\user\Desktop\213.exe "C:\Users\user\Desktop\213.exe"
      Source: unknownProcess created: C:\Users\user\Desktop\213.exe "C:\Users\user\Desktop\213.exe"
      Source: C:\Users\user\Desktop\213.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\213.exeWindow detected: Number of UI elements: 23
      Source: 213.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: 213.exeStatic file information: File size 5222400 > 1048576
      Source: 213.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x14f000
      Source: 213.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x286000
      Source: 213.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000
      Source: Binary string: devco n.pdbo source: 213.exe
      Source: Binary string: wntdll.pdbUGP source: 213.exe, 00000001.00000002.2649542491.0000000002D42000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1368992017.0000000002B93000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000003.1531909500.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2649235913.0000000002C1E000.00000040.00000020.00020000.00000000.sdmp, 61d161.tmp.4.dr, 6191a9.tmp.1.dr
      Source: Binary string: wntdll.pdb source: 213.exe, 00000001.00000002.2649542491.0000000002D42000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1368992017.0000000002B93000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000003.1531909500.0000000002A68000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2649235913.0000000002C1E000.00000040.00000020.00020000.00000000.sdmp, 61d161.tmp.4.dr, 6191a9.tmp.1.dr
      Source: Binary string: DrvInDM U.pdbe source: 213.exe
      Source: Binary string: wuser32.pdb source: 213.exe, 00000001.00000002.2649779035.0000000002EF3000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1369730161.0000000002B94000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000003.1532972259.0000000002A67000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2649482812.0000000002DD1000.00000040.00000020.00020000.00000000.sdmp, 619216.tmp.1.dr, 61d1bf.tmp.4.dr
      Source: Binary string: devc@on.pdb source: 213.exe
      Source: Binary string: wuser32.pdbUGP source: 213.exe, 00000001.00000002.2649779035.0000000002EF3000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1369730161.0000000002B94000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000003.1532972259.0000000002A67000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2649482812.0000000002DD1000.00000040.00000020.00020000.00000000.sdmp, 619216.tmp.1.dr, 61d1bf.tmp.4.dr

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\213.exeUnpacked PE file: 1.2.213.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\213.exeUnpacked PE file: 4.2.213.exe.10000000.2.unpack
      Source: 619216.tmp.1.drStatic PE information: 0x9A58494B [Sun Jan 21 19:13:15 2052 UTC]
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_004C3FD0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,1_2_004C3FD0
      Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
      Source: QQWER.dll.1.drStatic PE information: section name: .Upack
      Source: 6191a9.tmp.1.drStatic PE information: section name: RT
      Source: 6191a9.tmp.1.drStatic PE information: section name: .mrdata
      Source: 6191a9.tmp.1.drStatic PE information: section name: .00cfg
      Source: 619216.tmp.1.drStatic PE information: section name: .didat
      Source: 61d161.tmp.4.drStatic PE information: section name: RT
      Source: 61d161.tmp.4.drStatic PE information: section name: .mrdata
      Source: 61d161.tmp.4.drStatic PE information: section name: .00cfg
      Source: 61d1bf.tmp.4.drStatic PE information: section name: .didat
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_0052ECA0 push eax; ret 1_2_0052ECCE
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_00530F14 push eax; ret 1_2_00530F32
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_1002C7F8 push edi; ret 1_2_1002C7FC
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_0052ECA0 push eax; ret 4_2_0052ECCE
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_00530F14 push eax; ret 4_2_00530F32
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_1002C7F8 push edi; ret 4_2_1002C7FC
      Source: QQWER.dll.1.drStatic PE information: section name: .rsrc entropy: 7.999713933191419
      Source: 6191a9.tmp.1.drStatic PE information: section name: .text entropy: 6.844531704449234
      Source: 61d161.tmp.4.drStatic PE information: section name: .text entropy: 6.844531704449234
      Source: C:\Users\user\Desktop\213.exeFile created: C:\Users\user\AppData\Local\Temp\6191a9.tmpJump to dropped file
      Source: C:\Users\user\Desktop\213.exeFile created: C:\Users\user\AppData\Local\Temp\61d1bf.tmpJump to dropped file
      Source: C:\Users\user\Desktop\213.exeFile created: C:\Users\user\AppData\Local\Temp\619216.tmpJump to dropped file
      Source: C:\Users\user\Desktop\213.exeFile created: C:\Users\user\AppData\Local\Temp\61d161.tmpJump to dropped file
      Source: C:\Users\user\Desktop\213.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\213.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\213.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_004CBF70 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,1_2_004CBF70
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,1_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_004CBF70 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,4_2_004CBF70
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,4_2_1001F2ED
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\213.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_1-22804
      Source: C:\Users\user\Desktop\213.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\213.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6191a9.tmpJump to dropped file
      Source: C:\Users\user\Desktop\213.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\61d1bf.tmpJump to dropped file
      Source: C:\Users\user\Desktop\213.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\619216.tmpJump to dropped file
      Source: C:\Users\user\Desktop\213.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\61d161.tmpJump to dropped file
      Source: C:\Users\user\Desktop\213.exeDropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\213.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\213.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,1_2_1000710E
      Source: 213.exe, 00000001.00000002.2647752348.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000002.2647752348.0000000000A5B000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2647341814.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000002.2647341814.0000000000B96000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000004.00000003.1612068298.0000000000B96000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\213.exeAPI call chain: ExitProcess graph end nodegraph_1-22918
      Source: C:\Users\user\Desktop\213.exeAPI call chain: ExitProcess graph end nodegraph_4-22829
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_10004B1B LdrInitializeThunk,1_2_10004B1B
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_004C3FD0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,1_2_004C3FD0
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_1001A4C7 mov eax, dword ptr fs:[00000030h]1_2_1001A4C7
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_1000AE99 mov eax, dword ptr fs:[00000030h]1_2_1000AE99
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_1001A4C7 mov eax, dword ptr fs:[00000030h]4_2_1001A4C7
      Source: C:\Users\user\Desktop\213.exeCode function: 4_2_1000AE99 mov eax, dword ptr fs:[00000030h]4_2_1000AE99
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_004B0C30 GetProcessHeap,RtlAllocateHeap,1_2_004B0C30
      Source: C:\Users\user\Desktop\213.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\213.exeProcess token adjusted: DebugJump to behavior
      Source: 213.exeBinary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32@@
      Source: 213.exe, 00000001.00000002.2647752348.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000002.2649779035.0000000002EF3000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1369730161.0000000002B94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: 213.exeBinary or memory string: Shell_TrayWnd
      Source: 213.exe, 00000001.00000002.2647752348.00000000009AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow^
      Source: 213.exe, 00000001.00000002.2647752348.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000002.2649779035.0000000002EF3000.00000040.00000020.00020000.00000000.sdmp, 213.exe, 00000001.00000003.1369730161.0000000002B94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_10019EDC cpuid 1_2_10019EDC
      Source: C:\Users\user\Desktop\213.exeCode function: 1_2_0052D6A8 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,1_2_0052D6A8
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
      Native API
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      1
      Masquerading
      11
      Input Capture
      111
      Security Software Discovery
      Remote Services1
      Screen Capture
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      LSASS Driver
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      LSASS Memory1
      Process Discovery
      Remote Desktop Protocol11
      Input Capture
      3
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading
      1
      LSASS Driver
      1
      Deobfuscate/Decode Files or Information
      Security Account Manager1
      Application Window Discovery
      SMB/Windows Admin Shares1
      Archive Collected Data
      2
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading
      4
      Obfuscated Files or Information
      NTDS15
      System Information Discovery
      Distributed Component Object ModelInput Capture12
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Software Packing
      LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      Timestomp
      Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      DLL Side-Loading
      DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      213.exe47%ReversingLabs
      213.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\Desktop\QQWER.dll100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\6191a9.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\619216.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\61d161.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\61d1bf.tmp0%ReversingLabs
      C:\Users\user\Desktop\QQWER.dll73%ReversingLabsWin32.Infostealer.OnlineGames
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://42.193.100.57/0%Avira URL Cloudsafe
      http://.httpsset-cookie:;;0%Avira URL Cloudsafe
      http://ocsp.t0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt20%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9Or&80%Avira URL Cloudsafe
      http://ts-ocsp.ws.s0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt30%Avira URL Cloudsafe
      http://ts-ocsp.ws.symantec.0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtl0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt(0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt0%Avira URL Cloudsafe
      http://sf.symc0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtD:0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtW0%Avira URL Cloudsafe
      https://ww(w.v0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtH0%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      s-part-0017.t-0009.t-msedge.net
      13.107.246.45
      truefalse
        high
        NameMaliciousAntivirus DetectionReputation
        http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtfalse
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        http://www.eyuyan.com)DVarFileInfo$213.exefalse
          high
          http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt(213.exe, 00000001.00000002.2647752348.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ocsp.t213.exefalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/213.exe, 00000001.00000002.2647752348.0000000000A45000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://.httpsset-cookie:;;213.exefalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt2213.exe, 00000001.00000002.2647752348.0000000000A4F000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtl213.exe, 00000001.00000002.2647752348.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9Or&8213.exe, 00000004.00000003.1611716242.0000000000BAC000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ts-ocsp.ws.s213.exefalse
          • Avira URL Cloud: safe
          unknown
          https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1213.exefalse
            high
            http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt3213.exe, 00000004.00000002.2647341814.0000000000B08000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://ts-ocsp.ws.symantec.213.exefalse
            • Avira URL Cloud: safe
            unknown
            http://sf.symc213.exefalse
            • Avira URL Cloud: safe
            unknown
            http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtD:213.exe, 00000004.00000002.2647341814.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtH213.exe, 00000004.00000002.2647341814.0000000000B7D000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtW213.exe, 00000001.00000002.2647752348.0000000000A23000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            unknown
            https://ww(w.v213.exefalse
            • Avira URL Cloud: safe
            unknown
            http://42.193.100.57/%E5%AD%98%E6%A1%A3/213.exefalse
            • Avira URL Cloud: safe
            unknown
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            42.193.100.57
            unknownChina
            4249LILLY-ASUSfalse
            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1559172
            Start date and time:2024-11-20 09:14:08 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 47s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:8
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:213.exe
            Detection:MAL
            Classification:mal84.evad.winEXE@2/11@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: 213.exe
            TimeTypeDescription
            09:15:11AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\Desktop\213.exe
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            s-part-0017.t-0009.t-msedge.netfile.exeGet hashmaliciousLummaCBrowse
            • 13.107.246.45
            file.exeGet hashmaliciousStealcBrowse
            • 13.107.246.45
            file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
            • 13.107.246.45
            file.exeGet hashmaliciousLummaCBrowse
            • 13.107.246.45
            PO-000041492.xlsGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            Credit_DetailsCBS24312017915.xla.xlsxGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            Payment Advice.xlsGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            Delivery_Notification_00116030.doc.jsGet hashmaliciousUnknownBrowse
            • 13.107.246.45
            file.exeGet hashmaliciousLummaCBrowse
            • 13.107.246.45
            file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
            • 13.107.246.45
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            LILLY-ASUSSWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
            • 43.155.76.124
            arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
            • 43.52.215.121
            arm.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
            • 43.152.251.74
            x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
            • 40.221.176.183
            https://trackwniw.top/iGet hashmaliciousUnknownBrowse
            • 43.130.33.71
            https://trackwniw.top/iGet hashmaliciousUnknownBrowse
            • 43.130.33.71
            owari.m68k.elfGet hashmaliciousUnknownBrowse
            • 42.132.90.14
            owari.arm7.elfGet hashmaliciousMiraiBrowse
            • 43.100.132.215
            owari.arm.elfGet hashmaliciousUnknownBrowse
            • 40.167.148.109
            owari.spc.elfGet hashmaliciousUnknownBrowse
            • 40.205.187.175
            No context
            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            C:\Users\user\Desktop\QQWER.dll212.exeGet hashmaliciousUnknownBrowse
              214.exeGet hashmaliciousUnknownBrowse
                Process:C:\Users\user\Desktop\213.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):1700528
                Entropy (8bit):6.288798696103936
                Encrypted:false
                SSDEEP:24576:vF8GkmrhlXJ7ldPaBm8elmb4PnpRJQ5c/Juevy91FLaOslVtUE+Vohk:1rhlXtl58elmb4BDQ5ai91iOXV5
                MD5:D813A601075A811B84141782D1B9FAF1
                SHA1:F295D781607346449289253F07DCB1423CAE1BE8
                SHA-256:98369370E3E0CFD3950B8C2121785C4EADBE621B7BEDD1BDF5B421548EA29AB8
                SHA-512:BFBFABBCC3A6A0CD588061CB6D5F98A06571D5C2F928C9901C3D20F5CF1CFDF2AD511D096428D9B2C2267375E155FBB7CAE3E701BE386134464C6AEA4B0FAF2C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L.....J...........!.........................0....(K.........................@............@A........................@....................................`.......Q..0z..p............................................................................text............................... ..`PAGE....*........................... ..`RT........... ...................... ..`.data...dZ...0......................@....mrdata.x#.......$..................@....00cfg...............8..............@..@.rsrc................:..............@..@.reloc...Q.......R...@..............@..B................................................................................................................................................................................................
                Process:C:\Users\user\Desktop\213.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):1682880
                Entropy (8bit):5.3372296802664785
                Encrypted:false
                SSDEEP:24576:LoAGn8EMQPqUGB69co81PJJBwuCx59U4IgL5p1z:q8lUU1RJBwuOTU4Ik
                MD5:7F046ED9E2CD73D41BA0618403C75A51
                SHA1:BB37BC45DAE1A347BC01EB5A25DB6B50573881A7
                SHA-256:1809F02D347C1C4ED16E561692E6A79C73F756F647223CF96242A80397F1310E
                SHA-512:D381090A246A03FF30E1421C3E2E646A71A38F0428DA9EDE870613394165904AA3FE83B0E8C8F2A024B16345DE5C7C16F4C278838FFD9DE659154629BEB0ECD5
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$>Hd\.H<7.I!\.H(\.H+X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7RH)\.H<7.I)\.HRich(\.H........PE..L...KIX............!.....<...:...............P.....i................................JE....@A............................(s..`...\....0...............N..._...P...g...Q..T...............................................T...<........................text...8;.......<.................. ..`.data...V3...P.......@..............@....idata...............H..............@..@.didat..x.... ......................@....rsrc........0......................@..@.reloc...g...P...h..................@..B........................................................................................................................................................................................................................................................................................
                Process:C:\Users\user\Desktop\213.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):1700528
                Entropy (8bit):6.288798696103936
                Encrypted:false
                SSDEEP:24576:vF8GkmrhlXJ7ldPaBm8elmb4PnpRJQ5c/Juevy91FLaOslVtUE+Vohk:1rhlXtl58elmb4BDQ5ai91iOXV5
                MD5:D813A601075A811B84141782D1B9FAF1
                SHA1:F295D781607346449289253F07DCB1423CAE1BE8
                SHA-256:98369370E3E0CFD3950B8C2121785C4EADBE621B7BEDD1BDF5B421548EA29AB8
                SHA-512:BFBFABBCC3A6A0CD588061CB6D5F98A06571D5C2F928C9901C3D20F5CF1CFDF2AD511D096428D9B2C2267375E155FBB7CAE3E701BE386134464C6AEA4B0FAF2C
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L.....J...........!.........................0....(K.........................@............@A........................@....................................`.......Q..0z..p............................................................................text............................... ..`PAGE....*........................... ..`RT........... ...................... ..`.data...dZ...0......................@....mrdata.x#.......$..................@....00cfg...............8..............@..@.rsrc................:..............@..@.reloc...Q.......R...@..............@..B................................................................................................................................................................................................
                Process:C:\Users\user\Desktop\213.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):1682880
                Entropy (8bit):5.3372296802664785
                Encrypted:false
                SSDEEP:24576:LoAGn8EMQPqUGB69co81PJJBwuCx59U4IgL5p1z:q8lUU1RJBwuOTU4Ik
                MD5:7F046ED9E2CD73D41BA0618403C75A51
                SHA1:BB37BC45DAE1A347BC01EB5A25DB6B50573881A7
                SHA-256:1809F02D347C1C4ED16E561692E6A79C73F756F647223CF96242A80397F1310E
                SHA-512:D381090A246A03FF30E1421C3E2E646A71A38F0428DA9EDE870613394165904AA3FE83B0E8C8F2A024B16345DE5C7C16F4C278838FFD9DE659154629BEB0ECD5
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 0%
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$>Hd\.H<7.I!\.H(\.H+X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7RH)\.H<7.I)\.HRich(\.H........PE..L...KIX............!.....<...:...............P.....i................................JE....@A............................(s..`...\....0...............N..._...P...g...Q..T...............................................T...<........................text...8;.......<.................. ..`.data...V3...P.......@..............@....idata...............H..............@..@.didat..x.... ......................@....rsrc........0......................@..@.reloc...g...P...h..................@..B........................................................................................................................................................................................................................................................................................
                Process:C:\Users\user\Desktop\213.exe
                File Type:PC bitmap, Windows 3.x format, 88 x 30 x 24, image size 7920, cbSize 7974, bits offset 54
                Category:dropped
                Size (bytes):7974
                Entropy (8bit):5.673356453027983
                Encrypted:false
                SSDEEP:192:Ff/ZR+G5hr4gwFy2EmU8fTDAa/AUdiwcWOWNnLV:FfbEzsxUdinWDh
                MD5:7E50424DE95D765740BCE30899FA4E3B
                SHA1:306B279E18EB8830960449758C025C0F13F7A484
                SHA-256:1886332AA5F083560E14B3E7DAEF8BFBFA7BE16FBD93CC10CD84C11C87014AA6
                SHA-512:4E9349366B4A16111B47E6E78D289DC22892BA7B2E5E5A8F46C808CA268FEEE1D7483A4E43F46686DB24E4C50C4BABBD2A8722D323A25C7656F31C45D186B5A3
                Malicious:false
                Reputation:low
                Preview:BM&.......6...(...X...................................P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1.P1....................................................................................................................................................................................|..p.........................................................................~..~..}..}..}..{..{..{..{..z..y..y..x..x..w..w..w..v..u..u..u..t..t..s..s..r..q..q..q..q..p..o..o..n..n..m..m..l..k..k..j..j..i..i..h..h..h..h..g..f..f..e..e..o........................................................................~..~..~..}..}..{..{..{..z..z..z..y..x..x..w..w..w..
                Process:C:\Users\user\Desktop\213.exe
                File Type:PC bitmap, Windows 3.x format, 43 x 25 x 24, image size 3300, cbSize 3354, bits offset 54
                Category:dropped
                Size (bytes):3354
                Entropy (8bit):2.989481212693407
                Encrypted:false
                SSDEEP:12:hqVRlllllllllLlll7lllllllllp9l+fs9WLtOlqTT9WLXLELc9WLccwlVLcEAAZ:pIsgTZMY
                MD5:6391A0DCDD648730D0801673DAA5E9C9
                SHA1:023E19E73F390D6C976A75E4804E356F8D4E2B79
                SHA-256:8CBC9646B997839C056FA4C663B843971C084CDC044502753A543D83D35092C5
                SHA-512:17C8C196F2D27928FA01E2A461E9F2400E1ACFE73B50A3B3B9A03C3117D2EEC346E9032CE35DA508C26BE561404142DD073D5F7E393729160830EE148C5F4536
                Malicious:false
                Reputation:low
                Preview:BM........6...(...+...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..........................%..%.........................................%..%..%..%..%..%..%..%.....%..%..%..%..%..%......
                Process:C:\Users\user\Desktop\213.exe
                File Type:PC bitmap, Windows 3.x format, 122 x 40 x 24, image size 14720, cbSize 14774, bits offset 54
                Category:dropped
                Size (bytes):14774
                Entropy (8bit):4.868699837953847
                Encrypted:false
                SSDEEP:384:fDinzsGO052UtTri2fzOJ3pzvdTzD8mZxEBxQ74w2jBfG79s6OY:riA/w1ObZSny4dRI9Hh
                MD5:EE883808D176D23096A2D4F339C84368
                SHA1:D901775EDE136567215ABE718023C1A62F46A0A6
                SHA-256:3D28C7A863B6E937EBC72AD585F94359B6BC2FF8523173DB0FEEFBC803AB372B
                SHA-512:F14CF6522847121246B7913FA1C800227EEEAFAE5F7AA44D2E45ED55EC50B2A729C109B222D0F2E3FECFB3B16031AEF742C286DA0393322A73C4B182C71033D3
                Malicious:false
                Reputation:low
                Preview:BM.9......6...(...z...(............9..............................................................................................................................~..~..~..~..}..}..}..}..|..|..{..{..{..{..z..z..z..z..y..y..x..y..x..x..w..x..w..w..v..v..v..v..u..u..t..t..t..t..s..s..s..s..r..r..q..r..q..q..p..q..p..p..o..o..o..o..n..n..m..n..m..m..l..l..l..l..k..k..j..k................................................................................................................~..~..}..}..}..}..|..|..|..|..{..{..z..{..z..z..y..z..y..y..x..x..x..x..w..w..v..v..v..v..u..u..u..u..t..t..s..t..s..s..r..s..r..r..q..q..q..q..p..p..o..p..o..o..n..n..n..n..m..m..l..m..l..l..k..l..k..k..j..j...............................................................................................................~..~..~..~..}..}..|..}..|..|..{..{..{..{..z..z..y..z.
                Process:C:\Users\user\Desktop\213.exe
                File Type:PC bitmap, Windows 3.x format, 124 x 21 x 24, image size 7812, cbSize 7866, bits offset 54
                Category:dropped
                Size (bytes):7866
                Entropy (8bit):2.8370523003123043
                Encrypted:false
                SSDEEP:24:o4XlQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQP:T+QgQ2VQPQ/QNQmQTQGQKxQyQIHiw1
                MD5:5D70530E3663B004B68425154CB9AFB9
                SHA1:46CFADA3D2EDE8A3280598BD4E2EC89CE0C7D56F
                SHA-256:0818DF2198DA1889321E82F769F3AA6B01F9CD773987354A8F5E0908379F45CE
                SHA-512:824569EAB3FBB412708BB35CDF0A3630289008307A518E68253CFAAD379CFB830C56A2582D2FB071561BF2FB3ADB2535CEBA13319A3A096009357E152022119E
                Malicious:false
                Preview:BM........6...(...|...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%
                Process:C:\Users\user\Desktop\213.exe
                File Type:PC bitmap, Windows 3.x format, 132 x 32 x 24, image size 12672, cbSize 12726, bits offset 54
                Category:dropped
                Size (bytes):12726
                Entropy (8bit):5.79054775797227
                Encrypted:false
                SSDEEP:384:xcEOHiLY/s8/wo4C4tPzSrEEBN/LMzeW1:xcdHiLeF4Q4pSY+hLMzv
                MD5:FA9FA099399E2ADF93BE1348C4AED087
                SHA1:3FB710D8AD919AE6783E222DF46305E39FA81098
                SHA-256:3749B52884564A500221E53DE5FCF24A2F6E3EDB4E58ADB13CF2B5F8F422BA7B
                SHA-512:A6D378F8AD7EFAF4A3067D3F601AFAB53C83947DA29C9F6A21BAD21F287D2CAB093939BD017F32971EE6B3DA1EC82BE6D59234CB446A325A33C8AA5215200DD8
                Malicious:false
                Preview:BM.1......6...(....... ............1..................................................................................................................................................................................................................................................................................................~..~..}..}..|..|..{..|..{..{..z..z..y..y..x..x..x..w..w..w..................................................................................................................................................................................................................................................................................~..~..}..~..}..}..|..|..{..{..z..z..z..z..y..y..x..x..w..w....................................................................................................................................................
                Process:C:\Users\user\Desktop\213.exe
                File Type:PC bitmap, Windows 3.x format, 312 x 196 x 24, image size 183456, cbSize 183510, bits offset 54
                Category:dropped
                Size (bytes):183510
                Entropy (8bit):5.556020063769881
                Encrypted:false
                SSDEEP:3072:6Sv2XACrsCmcuRGDpKiVarMsILpZTjDuD:rv2tNRdn5hpZvQ
                MD5:1C4B3140D22A2921DC9E023E3E68963E
                SHA1:0D4F280950E2221F30D40DF40A14C496FD5B9723
                SHA-256:4F7D1D27980D902757136771413B5B9E681D7D5664259F8C0914DAEF986F1614
                SHA-512:F0615BDA954AA84B871237F7BD64046BB99CAD7EE1CB43C28917B13EB5EC08120E659138C721A660D8B00567E00B79BB6C9384ED30E8EB522D84617177642037
                Malicious:false
                Preview:BM........6...(...8...................................Y,.]..[,.U(.Y+.Y*.V).V(.S&.W(.V(.V).Y*.[,.\-.U(.]..U(.W).W).X*.R%.X*.S'.X*.S&.S&.V).V(.T&.T'.V).T'.N#.X).X+.T&.S'.S&.S&.V(.V*.V(.U).R%.U(.P%.S'.S'.T'.U'.U).X*.X+.V).S'.T(.U(.X).b1.]..T'.P$.S&.T(.V+.Y,.Q%.R(.U).T(.R%.T(.V).P%.S'.S'.S&.U).U).V*.T'.R&.Q'.O$.T(.S(.N#.S'.S(.T'.S(.M#.S(.X,.Q'.P%.R'.N$.P'.O%.K".Q&.N%.R(.M$.M$.L#.L#.M#.R).K#.O&.Q'.N%.M#.N$.T'.O%.Q'.U).R(.R(.Q(.T+.U+.X..T+.T*.U+.W,.T+.S*.W-.R).U+.U+.U-.V-.R).S+.Q).T*.Q).T+.W,.P(.T+.U,.R).Q).Q*.Q).Q).T+.X..S*.Q*.N'.O(.Q).U-.T,.R*.S+.R*.R).Q*.P(.Q+.P'.S,.T-.R+.P,.P+.P,.M(.P(.R,.Q+.P*.Q).V..R,.T,.N).Q+.R+.T..L(.C&.<$.8 .:#.:#.<%.<#.6..@'.8!.5..5..:".8!.@'.;$.9#.:#.9!.>$.7 .;#.<$.;#.D).<#.6..;#.=$.;$.=$.8..:".;#.:!.8".9!.<#.<$.<#.<%.:#.;#.;".9!.<$.<$.:!.<$.;#.<#.:!.E).A(.>%.<$.:#.:".:#.>&.<$.<$.=%.=%.;$.C(.@&.?'.;$.=$.<".>%.8!.;#.9!.>%.<$.>&.>&.;$.=$.>$.<$.A'.?%.6..:".?%.:".:".<#.@&.:#.:#.=$.:".?$.:!.B'.>$.<#.>$.D'.9!.@%.@%.?&.=$.=$.=#.;".:".>#.@'.>%.>%.?&.?$.>%.>$.?$.c3.R%.W(.R
                Process:C:\Users\user\Desktop\213.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):687517
                Entropy (8bit):7.999653084247243
                Encrypted:true
                SSDEEP:12288:nAPtAe/2ByNkI6K8Pi7GMskNEkzJ0x1d2GpSI5EwLtwun3aPh:nEtAemv+hNZGTds9UtwgqPh
                MD5:4B7109E2F77FF15219B81079DF8C12B2
                SHA1:AB3BF417AF304B83CD49707E399BC06E1E10D519
                SHA-256:BE7A0A59B36299F40D6AC2FC126ACFD6C8BBFF8C4F8D9D85267DF3E2E1E3AED3
                SHA-512:770EBECF21AAD663BB27F7800AE476FF3B9EF444FF661916CB50E65AE4987DDE7413E4AE83FD152C47A296C13E41D4544AED3C780F0F5958BB605F57016537E7
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 73%
                Joe Sandbox View:
                • Filename: 212.exe, Detection: malicious, Browse
                • Filename: 214.exe, Detection: malicious, Browse
                Preview:MZKERNEL32.DLL..LoadLibraryA....GetProcAddress..UpackByDwing@...PE..L..................!...9.`..........`X.......p......................................................................,[..q....[..............................H........................................................................................Upack..............................`....rsrc............{..................`........[...............Z...Z...Z...Z...Z.......Z...Z...X.......[.......Y......|...........u...............................*..T...h........Zx.)1Y"F..,...L..F.4."W|..5P......A...c]...J..X.;/.T..|...~.d.W..........(k.../.!.y..0Kol.Ty..N...yg....-.GI....@.c..g:...!.Oo..j..N.h6x..9)B.Iw.4Z}..g.CCN......X...:.`......!y.p.^=..;..!.......83..W..W...h.?$R.Q....$..+......... 6....3..i...<.Z.\...r.T....,.).s..~.V.......^].k.[....bQ....+Y.';C.._.R. fq......y..X.8t2.J.....4B...m.....A...a.8..F....51mt6e..Yec..A...q......:..)..l.O!.S..8.f..X....k.....!B..Z<.\.C....kc(...0..#.M}+@..X.g;P..r....x.
                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.337329259152665
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:213.exe
                File size:5'222'400 bytes
                MD5:92b87c6d54d69691eaa9d2d3021b9cf6
                SHA1:177fb16e46c31239d6817dfebe438456801f6026
                SHA256:145f0792808529be8c426d0537641741881c2f997f9af96ac52d132154721900
                SHA512:1d89320648f9c07eef54f2c5b42049141866e72850b28edeb056a64ede52dcb0ba132f4614d2c4dd113dde9b5bfa501b088c7734cf2b448566586b3a2aabeb9b
                SSDEEP:98304:7XiPLWfgFysKoRdqP5PSbRQTD4wP7wxJRzoSbRQTD4wP7wxJRz4:++f7oH+/z7wxJRR+/z7wxJRE
                TLSH:CA36AD03B262C862D2142BB455F5E738D6784FA17C75CB43E7E0FCA37D72A636A52209
                File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L..A............s.......g.......g...........$...^...$...j.......................>...c...>...................i...............S..
                Icon Hash:0f4d70f0ed71330f
                Entrypoint:0x52d6a8
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                DLL Characteristics:
                Time Stamp:0x672B0908 [Wed Nov 6 06:13:28 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:04c7a30e342800eb893154d4d8d3104c
                Instruction
                push ebp
                mov ebp, esp
                push FFFFFFFFh
                push 007C9A78h
                push 00530514h
                mov eax, dword ptr fs:[00000000h]
                push eax
                mov dword ptr fs:[00000000h], esp
                sub esp, 58h
                push ebx
                push esi
                push edi
                mov dword ptr [ebp-18h], esp
                call dword ptr [005503E8h]
                xor edx, edx
                mov dl, ah
                mov dword ptr [00828EACh], edx
                mov ecx, eax
                and ecx, 000000FFh
                mov dword ptr [00828EA8h], ecx
                shl ecx, 08h
                add ecx, edx
                mov dword ptr [00828EA4h], ecx
                shr eax, 10h
                mov dword ptr [00828EA0h], eax
                push 00000001h
                call 00007F8B6CE39D37h
                pop ecx
                test eax, eax
                jne 00007F8B6CE33D1Ah
                push 0000001Ch
                call 00007F8B6CE33DD8h
                pop ecx
                call 00007F8B6CE39AE2h
                test eax, eax
                jne 00007F8B6CE33D1Ah
                push 00000010h
                call 00007F8B6CE33DC7h
                pop ecx
                xor esi, esi
                mov dword ptr [ebp-04h], esi
                call 00007F8B6CE39910h
                call dword ptr [00550358h]
                mov dword ptr [0082E0E4h], eax
                call 00007F8B6CE397CEh
                mov dword ptr [00828E18h], eax
                call 00007F8B6CE39577h
                call 00007F8B6CE394B9h
                call 00007F8B6CE383EAh
                mov dword ptr [ebp-30h], esi
                lea eax, dword ptr [ebp-5Ch]
                push eax
                call dword ptr [005501C8h]
                call 00007F8B6CE3944Ah
                mov dword ptr [ebp-64h], eax
                test byte ptr [ebp-30h], 00000001h
                je 00007F8B6CE33D18h
                movzx eax, word ptr [ebp+00h]
                Programming Language:
                • [C++] VS98 (6.0) SP6 build 8804
                • [ C ] VS98 (6.0) SP6 build 8804
                • [C++] VS98 (6.0) build 8168
                • [ C ] VS98 (6.0) build 8168
                • [EXP] VC++ 6.0 SP5 build 8804
                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x3d2a280x12c.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x42f0000x10ce8c.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x1500000x7d8.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x14e97e0x14f0009a8413c112a87e8ae59780b079c7b682False0.40904923624067163data6.41839594766701IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x1500000x2852b40x2860003239aeddba968949fcc8670dc7443c8aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x3d60000x580ea0x18000cd042b958c718cedd43a8805f94fdacaFalse0.30389404296875data5.07543745137401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc0x42f0000x10ce8c0x10d000e64db9b885839be50d9740fb68390968False0.4221699654391264data4.847579887280327IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                NameRVASizeTypeLanguageCountryZLIB Complexity
                TEXTINCLUDE0x42fb9c0xbASCII text, with no line terminatorsChineseChina1.7272727272727273
                TEXTINCLUDE0x42fba80x16dataChineseChina1.3636363636363635
                TEXTINCLUDE0x42fbc00x151C source, ASCII text, with CRLF line terminatorsChineseChina0.6201780415430267
                RT_CURSOR0x42fd140x134dataChineseChina0.5811688311688312
                RT_CURSOR0x42fe480x134Targa image data - Map 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
                RT_CURSOR0x42ff7c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
                RT_CURSOR0x4300b00xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
                RT_BITMAP0x4301640x248Device independent bitmap graphic, 64 x 15 x 4, image size 480ChineseChina0.3407534246575342
                RT_BITMAP0x4303ac0x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.4444444444444444
                RT_BITMAP0x4304f00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.26453488372093026
                RT_BITMAP0x4306480x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2616279069767442
                RT_BITMAP0x4307a00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2441860465116279
                RT_BITMAP0x4308f80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.24709302325581395
                RT_BITMAP0x430a500x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2238372093023256
                RT_BITMAP0x430ba80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.19476744186046513
                RT_BITMAP0x430d000x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.20930232558139536
                RT_BITMAP0x430e580x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.18895348837209303
                RT_BITMAP0x430fb00x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404ChineseChina0.34615384615384615
                RT_BITMAP0x4315940xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
                RT_BITMAP0x43164c0x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260ChineseChina0.28296703296703296
                RT_BITMAP0x4317b80x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
                RT_ICON0x4318fc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640ChineseChina0.26344086021505375
                RT_ICON0x431be40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192ChineseChina0.41216216216216217
                RT_ICON0x431d0c0x108028Device independent bitmap graphic, 512 x 1024 x 32, image size 20971520.43531131744384766
                RT_MENU0x539d340xcdataChineseChina1.5
                RT_MENU0x539d400x284dataChineseChina0.5
                RT_DIALOG0x539fc40x98dataChineseChina0.7171052631578947
                RT_DIALOG0x53a05c0x17adataChineseChina0.5185185185185185
                RT_DIALOG0x53a1d80xfadataChineseChina0.696
                RT_DIALOG0x53a2d40xeadataChineseChina0.6239316239316239
                RT_DIALOG0x53a3c00x8aedataChineseChina0.39603960396039606
                RT_DIALOG0x53ac700xb2dataChineseChina0.7359550561797753
                RT_DIALOG0x53ad240xccdataChineseChina0.7647058823529411
                RT_DIALOG0x53adf00xb2dataChineseChina0.6629213483146067
                RT_DIALOG0x53aea40xe2dataChineseChina0.6637168141592921
                RT_DIALOG0x53af880x18cdataChineseChina0.5227272727272727
                RT_STRING0x53b1140x50dataChineseChina0.85
                RT_STRING0x53b1640x2cdataChineseChina0.5909090909090909
                RT_STRING0x53b1900x78dataChineseChina0.925
                RT_STRING0x53b2080x1c4dataChineseChina0.8141592920353983
                RT_STRING0x53b3cc0x12adataChineseChina0.5201342281879194
                RT_STRING0x53b4f80x146dataChineseChina0.6288343558282209
                RT_STRING0x53b6400x40dataChineseChina0.65625
                RT_STRING0x53b6800x64dataChineseChina0.73
                RT_STRING0x53b6e40x1d8dataChineseChina0.6758474576271186
                RT_STRING0x53b8bc0x114dataChineseChina0.6376811594202898
                RT_STRING0x53b9d00x24dataChineseChina0.4444444444444444
                RT_GROUP_CURSOR0x53b9f40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                RT_GROUP_CURSOR0x53ba080x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                RT_GROUP_CURSOR0x53ba1c0x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
                RT_GROUP_ICON0x53ba400x14Targa image data - Map 32 x 32808 x 161.1
                RT_GROUP_ICON0x53ba540x14dataChineseChina1.2
                RT_GROUP_ICON0x53ba680x14dataChineseChina1.25
                RT_VERSION0x53ba7c0x240dataChineseChina0.5642361111111112
                RT_MANIFEST0x53bcbc0x1cdXML 1.0 document, ASCII text, with very long lines (461), with no line terminators0.5878524945770065
                DLLImport
                WINMM.dllmidiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutGetNumDevs
                WS2_32.dllWSAAsyncSelect, closesocket, send, select, WSAStartup, inet_ntoa, recvfrom, ioctlsocket, recv, getpeername, accept, WSACleanup, ntohl
                RASAPI32.dllRasGetConnectStatusA, RasHangUpA
                KERNEL32.dllMultiByteToWideChar, SetLastError, GetTimeZoneInformation, OpenProcess, TerminateThread, FileTimeToSystemTime, CreateMutexA, ReleaseMutex, SuspendThread, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, LocalFree, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GetDriveTypeA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, SetFileAttributesA, InterlockedExchange, GetFileAttributesA, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, GetVersion
                USER32.dllSetWindowRgn, DestroyAcceleratorTable, GetWindow, GetActiveWindow, SetFocus, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, IsIconic, PeekMessageA, SetMenu, GetMenu, DeleteMenu, GetSystemMenu, DefWindowProcA, GetClassInfoA, IsZoomed, PostQuitMessage, CopyAcceleratorTableA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, ShowWindow, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, CreateAcceleratorTableA, LoadStringA, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, CreateMenu, ModifyMenuA, AppendMenuA, CreatePopupMenu, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, DispatchMessageA, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, UnregisterClassA, GetDesktopWindow, GetClassNameA, GetWindowThreadProcessId, GetDlgItem, GetWindowTextA, CallWindowProcA, CreateWindowExA, RegisterHotKey, UnregisterHotKey, SetWindowTextA, GetSysColorBrush, FindWindowA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow
                GDI32.dllPtVisible, GetViewportExtEx, ExtSelectClipRgn, LineTo, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, RealizePalette, SelectPalette, StretchBlt, CreatePalette, RectVisible, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, CreateRectRgnIndirect, SetBkColor, CreateFontA, TranslateCharsetInfo, MoveToEx, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, TextOutA, ExtTextOutA, Escape, GetTextMetricsA, CreateCompatibleDC, BitBlt, StartPage, StartDocA, DeleteDC, EndDoc, EndPage, GetObjectA, GetStockObject, CreateFontIndirectA, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetSystemPaletteEntries, GetDIBits
                WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegQueryValueA, RegCreateKeyExA, RegOpenKeyA, RegCloseKey
                SHELL32.dllShell_NotifyIconA, SHGetSpecialFolderPathA, SHChangeNotify, ShellExecuteA, DragQueryFileA, DragFinish, DragAcceptFiles
                ole32.dllCLSIDFromProgID, OleRun, CoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize
                OLEAUT32.dllVariantChangeType, VariantClear, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElement, VariantCopyInd, VariantInit, SysAllocString, SafeArrayDestroy, SafeArrayGetDim, SafeArrayCreate, SafeArrayUnaccessData, UnRegisterTypeLib, LoadTypeLib, LHashValOfNameSys, RegisterTypeLib, SafeArrayPutElement, SafeArrayAccessData
                COMCTL32.dllImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_EndDrag
                WININET.dllInternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetReadFile
                comdlg32.dllChooseColorA, GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA
                Language of compilation systemCountry where language is spokenMap
                ChineseChina
                TimestampSource PortDest PortSource IPDest IP
                Nov 20, 2024 09:15:06.088249922 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:06.088395119 CET4975680192.168.2.342.193.100.57
                Nov 20, 2024 09:15:06.095396996 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:06.095416069 CET804975642.193.100.57192.168.2.3
                Nov 20, 2024 09:15:06.095506907 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:06.095596075 CET4975680192.168.2.342.193.100.57
                Nov 20, 2024 09:15:06.095788956 CET4975680192.168.2.342.193.100.57
                Nov 20, 2024 09:15:06.095982075 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:06.102956057 CET804975642.193.100.57192.168.2.3
                Nov 20, 2024 09:15:06.103101969 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:07.133349895 CET804975642.193.100.57192.168.2.3
                Nov 20, 2024 09:15:07.133367062 CET804975642.193.100.57192.168.2.3
                Nov 20, 2024 09:15:07.133378029 CET804975642.193.100.57192.168.2.3
                Nov 20, 2024 09:15:07.133451939 CET4975680192.168.2.342.193.100.57
                Nov 20, 2024 09:15:07.133451939 CET4975680192.168.2.342.193.100.57
                Nov 20, 2024 09:15:07.133474112 CET804975642.193.100.57192.168.2.3
                Nov 20, 2024 09:15:07.133486032 CET804975642.193.100.57192.168.2.3
                Nov 20, 2024 09:15:07.133533955 CET4975680192.168.2.342.193.100.57
                Nov 20, 2024 09:15:07.133533955 CET4975680192.168.2.342.193.100.57
                Nov 20, 2024 09:15:10.269953012 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:10.269970894 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:10.269984007 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:10.269998074 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:10.270011902 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:10.270026922 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:10.270064116 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:10.270087004 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:12.082633018 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:12.090876102 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:12.499099016 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:12.499186993 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:12.499247074 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:12.499260902 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:12.499274015 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:12.499288082 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:12.499327898 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:12.499382973 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:19.160866976 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:19.165961981 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:20.188244104 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:20.188260078 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:20.188308954 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:20.188376904 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:21.806058884 CET4985180192.168.2.342.193.100.57
                Nov 20, 2024 09:15:21.810906887 CET804985142.193.100.57192.168.2.3
                Nov 20, 2024 09:15:21.810997963 CET4985180192.168.2.342.193.100.57
                Nov 20, 2024 09:15:21.811161995 CET4985180192.168.2.342.193.100.57
                Nov 20, 2024 09:15:21.816135883 CET804985142.193.100.57192.168.2.3
                Nov 20, 2024 09:15:22.098149061 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:22.103044987 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:22.106249094 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:22.106618881 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:22.112929106 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:22.897449017 CET804985142.193.100.57192.168.2.3
                Nov 20, 2024 09:15:22.897471905 CET804985142.193.100.57192.168.2.3
                Nov 20, 2024 09:15:22.897485018 CET804985142.193.100.57192.168.2.3
                Nov 20, 2024 09:15:22.897495985 CET804985142.193.100.57192.168.2.3
                Nov 20, 2024 09:15:22.897509098 CET4985180192.168.2.342.193.100.57
                Nov 20, 2024 09:15:22.897511005 CET804985142.193.100.57192.168.2.3
                Nov 20, 2024 09:15:22.897536039 CET4985180192.168.2.342.193.100.57
                Nov 20, 2024 09:15:22.897584915 CET4985180192.168.2.342.193.100.57
                Nov 20, 2024 09:15:23.205696106 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:23.205714941 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:23.205754995 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:23.205765009 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:23.205771923 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:23.205781937 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:23.205794096 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:23.205802917 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:23.205807924 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:23.205822945 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:23.205853939 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:28.315618992 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:28.320674896 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:28.729660988 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:28.729696989 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:28.729712963 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:28.729727983 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:28.729744911 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:28.729809046 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:28.729809046 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:35.330598116 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:35.338176966 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:35.747867107 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:35.747908115 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:15:35.747992039 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:15:35.747992039 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:16:56.064635992 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:16:56.064718008 CET4975680192.168.2.342.193.100.57
                Nov 20, 2024 09:16:56.071402073 CET804975542.193.100.57192.168.2.3
                Nov 20, 2024 09:16:56.071738005 CET804975642.193.100.57192.168.2.3
                Nov 20, 2024 09:16:56.072407961 CET4975580192.168.2.342.193.100.57
                Nov 20, 2024 09:16:56.078267097 CET4975680192.168.2.342.193.100.57
                Nov 20, 2024 09:17:11.783087969 CET4985180192.168.2.342.193.100.57
                Nov 20, 2024 09:17:11.783107996 CET4985580192.168.2.342.193.100.57
                Nov 20, 2024 09:17:11.788393021 CET804985142.193.100.57192.168.2.3
                Nov 20, 2024 09:17:11.788460016 CET4985180192.168.2.342.193.100.57
                Nov 20, 2024 09:17:11.788640976 CET804985542.193.100.57192.168.2.3
                Nov 20, 2024 09:17:11.788897038 CET4985580192.168.2.342.193.100.57
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Nov 20, 2024 09:14:58.533016920 CET1.1.1.1192.168.2.30x17afNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                Nov 20, 2024 09:14:58.533016920 CET1.1.1.1192.168.2.30x17afNo error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                • 42.193.100.57
                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.34975642.193.100.57808064C:\Users\user\Desktop\213.exe
                TimestampBytes transferredDirectionData
                Nov 20, 2024 09:15:06.095788956 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                Host: 42.193.100.57
                Cache-Control: no-cache
                Nov 20, 2024 09:15:07.133349895 CET1236INHTTP/1.1 200 OK
                Content-Type: text/plain
                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                Accept-Ranges: bytes
                ETag: "c04e101e3bdb1:0"
                Server: Microsoft-IIS/8.5
                Date: Wed, 20 Nov 2024 08:15:06 GMT
                Content-Length: 5139
                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                Nov 20, 2024 09:15:07.133367062 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                Data Ascii: T4
                Nov 20, 2024 09:15:07.133378029 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                Data Ascii: 2III322
                Nov 20, 2024 09:15:07.133474112 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                Data Ascii: ORPG2
                Nov 20, 2024 09:15:07.133486032 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                Data Ascii: 242323


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.34975542.193.100.57808064C:\Users\user\Desktop\213.exe
                TimestampBytes transferredDirectionData
                Nov 20, 2024 09:15:06.095982075 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                Host: 42.193.100.57
                Cache-Control: no-cache
                Nov 20, 2024 09:15:10.269953012 CET1236INHTTP/1.1 200 OK
                Content-Type: text/plain
                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                Accept-Ranges: bytes
                ETag: "c04e101e3bdb1:0"
                Server: Microsoft-IIS/8.5
                Date: Wed, 20 Nov 2024 08:15:10 GMT
                Content-Length: 5139
                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                Nov 20, 2024 09:15:10.269970894 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                Data Ascii: T4
                Nov 20, 2024 09:15:10.269984007 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                Data Ascii: 2III322
                Nov 20, 2024 09:15:10.269998074 CET672INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                Data Ascii: ORPG2
                Nov 20, 2024 09:15:10.270011902 CET983INData Raw: c2 bd 4f 52 50 47 b6 a8 d6 c6 0d 0a b6 b7 bb ea b4 f3 c2 bd 4f 52 50 47 b3 c9 be cd 0d 0a bf e0 b9 a4 56 53 cb c2 c9 ae 32 0d 0a ce fc d1 aa b9 ed d0 d2 b4 e6 d5 df 32 0d 0a be d9 c9 f1 ce aa b5 d0 32 0d 0a b5 f6 d3 e3 c9 fa b4 e6 0d 0a ba da c9
                Data Ascii: ORPGORPGVS2222100TD
                Nov 20, 2024 09:15:12.082633018 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                Host: 42.193.100.57
                Cache-Control: no-cache
                Nov 20, 2024 09:15:12.499099016 CET1236INHTTP/1.1 200 OK
                Content-Type: text/plain
                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                Accept-Ranges: bytes
                ETag: "c04e101e3bdb1:0"
                Server: Microsoft-IIS/8.5
                Date: Wed, 20 Nov 2024 08:15:12 GMT
                Content-Length: 5139
                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                Nov 20, 2024 09:15:12.499247074 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                Data Ascii: T4
                Nov 20, 2024 09:15:12.499260902 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                Data Ascii: 2III322
                Nov 20, 2024 09:15:12.499274015 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                Data Ascii: ORPG2
                Nov 20, 2024 09:15:12.499288082 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                Data Ascii: 242323
                Nov 20, 2024 09:15:19.160866976 CET164OUTGET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                Host: 42.193.100.57
                Cache-Control: no-cache
                Nov 20, 2024 09:15:20.188244104 CET1236INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Server: Microsoft-IIS/8.5
                Date: Wed, 20 Nov 2024 08:15:20 GMT
                Content-Length: 1163
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]
                Nov 20, 2024 09:15:20.188260078 CET64INData Raw: dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                Data Ascii: </h3> </fieldset></div></div></body></html>


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.34985142.193.100.5780888C:\Users\user\Desktop\213.exe
                TimestampBytes transferredDirectionData
                Nov 20, 2024 09:15:21.811161995 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                Host: 42.193.100.57
                Cache-Control: no-cache
                Nov 20, 2024 09:15:22.897449017 CET1236INHTTP/1.1 200 OK
                Content-Type: text/plain
                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                Accept-Ranges: bytes
                ETag: "c04e101e3bdb1:0"
                Server: Microsoft-IIS/8.5
                Date: Wed, 20 Nov 2024 08:15:22 GMT
                Content-Length: 5139
                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                Nov 20, 2024 09:15:22.897471905 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                Data Ascii: T4
                Nov 20, 2024 09:15:22.897485018 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                Data Ascii: 2III322
                Nov 20, 2024 09:15:22.897495985 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                Data Ascii: ORPG2
                Nov 20, 2024 09:15:22.897511005 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                Data Ascii: 242323


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                3192.168.2.34985542.193.100.5780888C:\Users\user\Desktop\213.exe
                TimestampBytes transferredDirectionData
                Nov 20, 2024 09:15:22.106618881 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                Host: 42.193.100.57
                Cache-Control: no-cache
                Nov 20, 2024 09:15:23.205696106 CET1236INHTTP/1.1 200 OK
                Content-Type: text/plain
                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                Accept-Ranges: bytes
                ETag: "c04e101e3bdb1:0"
                Server: Microsoft-IIS/8.5
                Date: Wed, 20 Nov 2024 08:15:22 GMT
                Content-Length: 5139
                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                Nov 20, 2024 09:15:23.205714941 CET224INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                Data Ascii: T4
                Nov 20, 2024 09:15:23.205765009 CET1236INData Raw: 0d 0a ce d2 d2 aa b4 f2 bd a9 ca ac 0d 0a d2 bb c9 ed d1 fd d7 b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce
                Data Ascii: 2II2T
                Nov 20, 2024 09:15:23.205781937 CET1236INData Raw: ae c3 fc d4 cb 0d 0a ca ae b5 ee d1 d6 c2 de 32 d7 a8 cb a2 c8 a8 cf de 0d 0a d0 a1 d0 a1 bd a3 ca a5 d7 a8 cb a2 c8 a8 cf de 0d 0a d2 bb c4 ee cd a8 cc ec d7 a8 cb a2 c8 a8 cf de 0d 0a cb c4 c9 fa ca d3 bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a b7 e7
                Data Ascii: 2F38.26
                Nov 20, 2024 09:15:23.205794096 CET448INData Raw: af 0d 0a b7 e8 bf f1 b4 f2 bd f0 0d 0a cc b0 c0 b7 bf f3 bf d3 0d 0a c7 f3 cf c9 cc ec b5 c0 54 44 0d 0a b3 d4 ca e9 c9 fa b4 e6 0d 0a ba da bb ea c6 f4 ca be c2 bc 0d 0a ce d2 d4 da c3 f7 c4 a9 b5 b1 bd ab be fc 0d 0a be f8 ca c0 ce e4 bb ea 0d
                Data Ascii: TD7
                Nov 20, 2024 09:15:23.205807924 CET983INData Raw: c2 bd 4f 52 50 47 b6 a8 d6 c6 0d 0a b6 b7 bb ea b4 f3 c2 bd 4f 52 50 47 b3 c9 be cd 0d 0a bf e0 b9 a4 56 53 cb c2 c9 ae 32 0d 0a ce fc d1 aa b9 ed d0 d2 b4 e6 d5 df 32 0d 0a be d9 c9 f1 ce aa b5 d0 32 0d 0a b5 f6 d3 e3 c9 fa b4 e6 0d 0a ba da c9
                Data Ascii: ORPGORPGVS2222100TD
                Nov 20, 2024 09:15:28.315618992 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                Host: 42.193.100.57
                Cache-Control: no-cache
                Nov 20, 2024 09:15:28.729660988 CET1236INHTTP/1.1 200 OK
                Content-Type: text/plain
                Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                Accept-Ranges: bytes
                ETag: "c04e101e3bdb1:0"
                Server: Microsoft-IIS/8.5
                Date: Wed, 20 Nov 2024 08:15:28 GMT
                Content-Length: 5139
                Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                Nov 20, 2024 09:15:28.729696989 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                Data Ascii: T4
                Nov 20, 2024 09:15:28.729712963 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                Data Ascii: 2III322
                Nov 20, 2024 09:15:28.729727983 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                Data Ascii: ORPG2
                Nov 20, 2024 09:15:28.729744911 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                Data Ascii: 242323
                Nov 20, 2024 09:15:35.330598116 CET164OUTGET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1
                Accept: */*
                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                Host: 42.193.100.57
                Cache-Control: no-cache
                Nov 20, 2024 09:15:35.747867107 CET1236INHTTP/1.1 404 Not Found
                Content-Type: text/html
                Server: Microsoft-IIS/8.5
                Date: Wed, 20 Nov 2024 08:15:35 GMT
                Content-Length: 1163
                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]
                Nov 20, 2024 09:15:35.747908115 CET64INData Raw: dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                Data Ascii: </h3> </fieldset></div></div></body></html>


                Click to jump to process

                Click to jump to process

                Click to dive into process behavior distribution

                Click to jump to process

                Target ID:1
                Start time:03:15:03
                Start date:20/11/2024
                Path:C:\Users\user\Desktop\213.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\213.exe"
                Imagebase:0x400000
                File size:5'222'400 bytes
                MD5 hash:92B87C6D54D69691EAA9D2D3021B9CF6
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                Target ID:4
                Start time:03:15:19
                Start date:20/11/2024
                Path:C:\Users\user\Desktop\213.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\213.exe"
                Imagebase:0x400000
                File size:5'222'400 bytes
                MD5 hash:92B87C6D54D69691EAA9D2D3021B9CF6
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                Reset < >

                  Execution Graph

                  Execution Coverage:6.7%
                  Dynamic/Decrypted Code Coverage:48.3%
                  Signature Coverage:37.7%
                  Total number of Nodes:748
                  Total number of Limit Nodes:20
                  execution_graph 22405 10027c00 22406 10027c14 22405->22406 22407 10027c09 GetProcessHeap 22405->22407 22408 10027c2c HeapAlloc 22406->22408 22409 10027c1c RtlReAllocateHeap 22406->22409 22407->22406 23308 10027008 6 API calls 23309 4cc640 143 API calls 23310 10029610 FreeLibrary 23372 10026f15 21 API calls 23313 10027218 31 API calls 23314 10026c1e 22 API calls 23315 1001221f 72 API calls 22419 4cc660 22422 4c6060 22419->22422 22421 4cc685 22423 4c609c 22422->22423 22424 4c60a0 22423->22424 22426 4c60b2 22423->22426 22524 4c43a0 130 API calls 22424->22524 22427 4c60e4 22426->22427 22428 4c625c 22426->22428 22429 4c620f 22427->22429 22430 4c61c1 22427->22430 22431 4c6172 22427->22431 22432 4c6113 22427->22432 22450 4c60ad 22427->22450 22451 4c63e6 22427->22451 22453 4c62f4 22427->22453 22455 4c64f0 22427->22455 22459 4c6490 22427->22459 22433 4c62a0 IsWindow 22428->22433 22447 4c62b6 22428->22447 22438 4c6247 22429->22438 22439 4c6232 22429->22439 22429->22450 22436 4c61fa 22430->22436 22437 4c61e5 22430->22437 22430->22450 22434 4c61ac 22431->22434 22435 4c6197 22431->22435 22431->22450 22525 52e484 29 API calls 22432->22525 22433->22447 22529 4c5f60 58 API calls 22434->22529 22528 4c5f60 58 API calls 22435->22528 22531 4c5f60 58 API calls 22436->22531 22530 4c5f60 58 API calls 22437->22530 22533 4c5f60 58 API calls 22438->22533 22532 4c5f60 58 API calls 22439->22532 22448 4c68c9 22447->22448 22449 4c62e2 22447->22449 22452 4c68e3 22448->22452 22544 4c43a0 130 API calls 22448->22544 22449->22450 22449->22451 22449->22453 22449->22455 22449->22459 22450->22421 22451->22450 22457 4c6435 GetWindowRect 22451->22457 22463 4c6a0a 22452->22463 22477 4c699c 22452->22477 22492 4c6918 22452->22492 22453->22450 22458 4c634d GetWindowRect GetParent 22453->22458 22454 4c612d 22454->22450 22526 4bfba0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22454->22526 22455->22450 22470 4c6594 22455->22470 22471 4c6585 22455->22471 22461 4c6474 22457->22461 22462 4c6456 22457->22462 22534 541264 66 API calls 22458->22534 22540 4bfba0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22459->22540 22539 543beb SetWindowPos 22461->22539 22538 543beb SetWindowPos 22462->22538 22467 4c6b60 22463->22467 22486 4c6a1f 22463->22486 22466 4c6161 22527 4c5f60 58 API calls 22466->22527 22467->22492 22547 4ce0a0 70 API calls 22467->22547 22475 4c671a 22470->22475 22501 4c65b9 22470->22501 22541 543c3a 22471->22541 22472 4c6370 22476 4c6390 22472->22476 22535 543ad2 GetWindowLongA 22472->22535 22505 4c2520 22475->22505 22537 543baa MoveWindow 22476->22537 22477->22492 22545 4b1380 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22477->22545 22482 4c6c63 IsWindow 22482->22450 22485 4c6c6e 22482->22485 22483 4c637d 22483->22476 22536 54609e GetWindowLongA ScreenToClient ScreenToClient 22483->22536 22485->22450 22489 4c6c82 22485->22489 22487 4c6a56 GetStockObject GetObjectA 22486->22487 22490 4c6a45 22486->22490 22487->22490 22548 4c3a90 PeekMessageA 22489->22548 22490->22492 22546 4ce0a0 70 API calls 22490->22546 22492->22450 22492->22482 22496 4c6caf 22498 4c3a90 67 API calls 22496->22498 22497 4c6701 22497->22450 22500 543c3a ShowWindow 22497->22500 22499 4c6cb6 22498->22499 22499->22450 22500->22450 22501->22450 22501->22497 22502 4c6664 IsWindow 22501->22502 22502->22497 22504 4c6676 22502->22504 22503 4b4770 SendMessageA 22503->22504 22504->22501 22504->22503 22506 4c2543 22505->22506 22507 4c258d IsWindow 22506->22507 22520 4c26d1 22506->22520 22508 4c259e 22507->22508 22507->22520 22509 4c25a8 22508->22509 22510 4c25c6 22508->22510 22513 543c3a ShowWindow 22509->22513 22509->22520 22511 4c25e0 GetParent 22510->22511 22521 4c268f 22510->22521 22561 541264 66 API calls 22511->22561 22512 4c26af 22512->22520 22554 4c3950 22512->22554 22517 4c25bd 22513->22517 22515 4c25f0 22519 4c2603 IsWindow 22515->22519 22515->22521 22517->22450 22519->22521 22522 4c260e 22519->22522 22520->22450 22521->22512 22562 4c28d0 14 API calls 22521->22562 22522->22521 22523 4c266e SetWindowPos 22522->22523 22523->22521 22524->22450 22525->22454 22526->22466 22527->22450 22528->22450 22529->22450 22530->22450 22531->22450 22532->22450 22533->22450 22534->22472 22535->22483 22536->22476 22537->22450 22538->22450 22539->22450 22540->22450 22542 543c50 22541->22542 22543 543c41 ShowWindow 22541->22543 22542->22450 22543->22542 22544->22452 22545->22492 22546->22492 22547->22492 22549 4c3aad 22548->22549 22550 4c3ad3 22548->22550 22549->22550 22552 4c3ac0 PeekMessageA 22549->22552 22563 5445cc 22549->22563 22553 4c3af0 110 API calls 22550->22553 22552->22549 22552->22550 22553->22496 22558 4c3967 22554->22558 22555 4c3974 PeekMessageA 22555->22558 22556 4c3a85 22556->22520 22557 4c399d IsWindow 22557->22558 22558->22555 22558->22556 22558->22557 22559 4c3a71 PeekMessageA 22558->22559 22560 4b1500 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22558->22560 22559->22558 22560->22558 22561->22515 22562->22512 22568 5491c5 22563->22568 22567 5445dd 22567->22549 22569 54919f 65 API calls 22568->22569 22570 5491ca 22569->22570 22578 549727 22570->22578 22573 54919f 22574 549727 65 API calls 22573->22574 22576 5491ae 22574->22576 22575 5491c4 22575->22567 22576->22575 22602 5497bc 22576->22602 22579 54975d TlsGetValue 22578->22579 22582 549730 22578->22582 22580 549770 22579->22580 22585 5445d1 22580->22585 22586 549783 22580->22586 22583 54974a 22582->22583 22589 549327 65 API calls 22582->22589 22590 5493c0 EnterCriticalSection 22583->22590 22584 54975b 22584->22579 22585->22567 22585->22573 22600 54952f 65 API calls 22586->22600 22589->22583 22592 5493df 22590->22592 22591 5494b0 LeaveCriticalSection 22591->22584 22593 54942c GlobalHandle GlobalUnlock GlobalReAlloc 22592->22593 22594 549419 GlobalAlloc 22592->22594 22599 54949b 22592->22599 22595 54944e 22593->22595 22594->22595 22596 549477 GlobalLock 22595->22596 22597 54945c GlobalHandle GlobalLock LeaveCriticalSection 22595->22597 22596->22599 22601 53d8b1 65 API calls __EH_prolog 22597->22601 22599->22591 22600->22585 22601->22596 22603 5497c6 __EH_prolog 22602->22603 22604 5497f4 22603->22604 22608 54a46c 6 API calls 22603->22608 22604->22575 22606 5497dd 22609 54a4dc LeaveCriticalSection 22606->22609 22608->22606 22609->22604 23318 10026e2e 35 API calls 23321 531e65 32 API calls 23377 10026f34 35 API calls 23378 10026d35 86 API calls 23322 100249fb 25 API calls 23323 10026c3d 21 API calls 22410 10027c40 22411 10027c86 22410->22411 22412 10027c4d 22410->22412 22413 10027c56 22412->22413 22414 10027c5b 22412->22414 22418 10027ae0 GetModuleHandleA 22413->22418 22414->22411 22416 10027c6b IsBadReadPtr 22414->22416 22416->22411 22417 10027c78 RtlFreeHeap 22416->22417 22417->22411 22418->22414 23381 530514 RtlUnwind 22730 10027a50 22731 10027a61 22730->22731 22732 10027a8a 22730->22732 22731->22732 22733 10027a64 22731->22733 22748 10026b52 ReleaseMutex NtClose 22732->22748 22742 10027aa0 GetProcessHeap 22733->22742 22736 10027a9b 22741 10027a85 22743 10027a6f 22742->22743 22744 10029790 22743->22744 22749 10027474 22744->22749 22747 10026b52 ReleaseMutex NtClose 22747->22741 22748->22736 22750 1002747c 22749->22750 22753 10018a96 22750->22753 22752 10027481 22752->22747 22754 10018aab 22753->22754 22757 10018ad3 22754->22757 22756 10018ab0 22756->22752 22758 10018aee 22757->22758 22804 10018eea CreateMutexA 22758->22804 22760 10018af3 22761 10018eea CreateMutexA 22760->22761 22762 10018afd HeapCreate 22761->22762 22763 10018b23 22762->22763 22764 10018b3a HeapCreate 22762->22764 22763->22764 22765 10018b60 22764->22765 22806 1000188f 22765->22806 22767 10018bc0 22812 1000b61e 22767->22812 22769 10018bdc 22770 1000188f 17 API calls 22769->22770 22771 10018c3b 22770->22771 22772 1000b61e 7 API calls 22771->22772 22773 10018c57 22772->22773 22774 1000188f 17 API calls 22773->22774 22775 10018cb6 22774->22775 22776 1000b61e 7 API calls 22775->22776 22777 10018cd2 22776->22777 22778 1000188f 17 API calls 22777->22778 22779 10018d31 22778->22779 22780 1000b61e 7 API calls 22779->22780 22781 10018d4d 22780->22781 22782 1000188f 17 API calls 22781->22782 22783 10018dac 22782->22783 22784 1000b61e 7 API calls 22783->22784 22785 10018dc8 22784->22785 22818 1000710e 22785->22818 22787 10018df2 22828 10018f34 22787->22828 22789 10018dfc 22842 100191e3 22789->22842 22791 10018e06 22854 1000ff10 22791->22854 22793 10018e37 22863 100114f9 22793->22863 22795 10018e43 22796 1000ff10 18 API calls 22795->22796 22797 10018e8f 22796->22797 22798 100114f9 18 API calls 22797->22798 22799 10018e9b 22798->22799 22869 10019f4c 22799->22869 22803 10018ecc 22803->22756 22805 10018f14 22804->22805 22805->22760 22811 100018bd 22806->22811 22807 10001ac2 22880 100283f0 22807->22880 22810 10001ae8 22810->22767 22811->22807 22907 10028090 _CIfmod 22811->22907 22813 1000b631 22812->22813 22919 1000b75c 22813->22919 22815 1000b65c 22816 1000b6cb LdrGetDllHandleEx 22815->22816 22817 1000b6ee 22816->22817 22817->22769 22819 10007121 22818->22819 22820 100071de GetVersionExA 22819->22820 22821 10007273 22820->22821 22942 10027ca0 22821->22942 22823 100072d2 22824 10007362 GetSystemInfo 22823->22824 22827 100074c6 22823->22827 22825 100073f5 22824->22825 22826 10007495 RtlGetNtVersionNumbers 22825->22826 22826->22827 22827->22787 22829 10018f4e 22828->22829 22831 10018f7e 22829->22831 22950 100289c0 22829->22950 22831->22789 22832 10018fad 22833 1000b61e 7 API calls 22832->22833 22834 10019053 22833->22834 22835 1000188f 17 API calls 22834->22835 22836 10019077 22835->22836 22837 10019081 22836->22837 22955 10006051 LdrGetProcedureAddress 22837->22955 22839 1001918a 22839->22831 22840 100190a4 22840->22839 22956 10001d56 IsBadCodePtr 22840->22956 22843 10019205 22842->22843 22845 10019212 22843->22845 22958 100188e1 22843->22958 22845->22791 22846 10019221 22963 100193c2 22846->22963 22848 100192bd 22849 100193c2 38 API calls 22848->22849 22850 10019331 22849->22850 22983 100198cc 22850->22983 22852 1001936a 22853 100198cc 25 API calls 22852->22853 22853->22845 23024 10027f20 22854->23024 22856 1000ff39 22857 10027f20 4 API calls 22856->22857 22858 1000ff58 22857->22858 22859 1000ffe0 RtlComputeCrc32 22858->22859 22860 10010003 22859->22860 23037 10010057 22860->23037 22862 10010034 22862->22793 22864 1001150f 22863->22864 22865 10011520 22863->22865 22866 1000188f 17 API calls 22864->22866 22867 10001d56 IsBadCodePtr 22865->22867 22866->22865 22868 1001161a 22867->22868 22868->22795 22870 10018ec7 22869->22870 22871 10019f74 22869->22871 22879 1001a236 47 API calls 22870->22879 23060 10019ff3 22871->23060 22875 10019fd3 23069 10007fdd 22875->23069 22876 10019fa2 22876->22875 22878 1001a0ce 21 API calls 22876->22878 22878->22876 22879->22803 22881 10028478 22880->22881 22890 1002840f 22880->22890 22882 10028483 22881->22882 22883 10028574 22881->22883 22884 10028489 22882->22884 22885 1002854f sprintf 22882->22885 22886 100285f2 22883->22886 22887 1002857b 22883->22887 22891 10028674 22884->22891 22896 10028517 22884->22896 22897 100284f9 22884->22897 22898 1002849e 22884->22898 22899 1002858f sprintf 22884->22899 22885->22898 22888 1002862a sprintf 22886->22888 22889 100285f9 22886->22889 22892 100285ce sprintf 22887->22892 22893 1002857d 22887->22893 22888->22898 22889->22891 22894 10028604 sprintf 22889->22894 22890->22891 22908 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22890->22908 22891->22810 22892->22898 22900 10028584 22893->22900 22901 100285ae sprintf 22893->22901 22894->22898 22910 10029dc0 6 API calls 22896->22910 22909 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22897->22909 22898->22891 22911 10027bb0 22898->22911 22899->22898 22900->22891 22900->22899 22901->22898 22904 10028469 22904->22810 22905 10028508 22905->22810 22907->22811 22908->22904 22909->22905 22910->22898 22912 10027bc4 RtlAllocateHeap 22911->22912 22913 10027bb9 GetProcessHeap 22911->22913 22914 10027bf5 22912->22914 22915 10027bd9 MessageBoxA 22912->22915 22913->22912 22914->22891 22918 10027b10 ExitProcess 22915->22918 22917 10027bf2 22917->22914 22918->22917 22920 1000b76f 22919->22920 22923 1000210d 22920->22923 22922 1000b7c1 22922->22815 22924 1000212e 22923->22924 22925 10002149 MultiByteToWideChar 22924->22925 22926 10002178 22925->22926 22934 100021b9 22926->22934 22935 100280c0 22926->22935 22928 100021dc 22929 1000220e MultiByteToWideChar 22928->22929 22930 10002239 22929->22930 22930->22934 22940 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22930->22940 22932 100022ce 22932->22934 22941 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22932->22941 22934->22922 22936 100280c9 22935->22936 22937 100280cd 22935->22937 22936->22928 22938 10027bb0 4 API calls 22937->22938 22939 100280d6 22938->22939 22939->22928 22940->22932 22941->22934 22943 10027cb1 22942->22943 22944 10027cb6 22942->22944 22949 10027ae0 GetModuleHandleA 22943->22949 22946 10027d14 22944->22946 22947 10027bb0 4 API calls 22944->22947 22946->22823 22948 10027cf9 22947->22948 22948->22823 22949->22944 22951 100289c9 22950->22951 22952 100289cd 22950->22952 22951->22832 22953 10027bb0 4 API calls 22952->22953 22954 100289d8 22953->22954 22954->22832 22955->22840 22957 10001d82 22956->22957 22957->22839 22959 100289c0 4 API calls 22958->22959 22960 1001890c 22959->22960 22961 10018926 GetSystemDirectoryA 22960->22961 22962 10018944 22961->22962 22962->22846 22964 100193ea 22963->22964 22998 100294c0 22964->22998 22966 10019463 22967 1001947d CopyFileA 22966->22967 22968 100194a0 22967->22968 23005 10028d40 CreateFileA 22968->23005 22970 100194da 22971 10028d40 8 API calls 22970->22971 22972 10019550 22970->22972 22971->22972 23010 10028e50 DeleteFileA 22972->23010 22974 1001959d 23011 10006495 22974->23011 22976 100195b3 22977 100195e3 RtlAllocateHeap 22976->22977 22980 10019832 22976->22980 22978 1001960e 22977->22978 23017 10008edd 26 API calls 22978->23017 22980->22848 22982 1001966e 23018 100094fb 26 API calls 22982->23018 22984 1001996d 22983->22984 23019 10019e6e 23 API calls 22984->23019 22986 10019977 23020 10019e6e 23 API calls 22986->23020 22988 100199e4 23021 10019e6e 23 API calls 22988->23021 22990 10019a2e 23022 10019e6e 23 API calls 22990->23022 22992 10019e55 22992->22852 22993 10019afa lstrlen 22996 10019a78 22993->22996 22995 10019e6e 23 API calls 22995->22996 22996->22992 22996->22993 22996->22995 22997 10027ca0 GetModuleHandleA ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22996->22997 23023 1000b48d ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22996->23023 22997->22996 22999 100294d1 GetTempPathA 22998->22999 23000 100294e5 22998->23000 22999->23000 23001 10029543 GetTickCount wsprintfA PathFileExistsA 23000->23001 23001->23001 23002 1002956b 23001->23002 23003 10027bb0 4 API calls 23002->23003 23004 1002957f 23003->23004 23004->22966 23006 10028d64 GetFileSize 23005->23006 23007 10028da9 23005->23007 23008 10027bb0 4 API calls 23006->23008 23007->22970 23009 10028d7d ReadFile CloseHandle 23008->23009 23009->23007 23010->22974 23012 100064ad 23011->23012 23013 1000652f RtlMoveMemory 23012->23013 23016 1000679e 23012->23016 23014 10006669 23013->23014 23015 10027ca0 5 API calls 23014->23015 23015->23016 23016->22976 23017->22982 23018->22980 23019->22986 23020->22988 23021->22990 23022->22996 23023->22996 23025 10027f40 23024->23025 23027 10027f4c 23025->23027 23028 10027f80 23025->23028 23026 10027feb 23026->22856 23045 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23027->23045 23028->23026 23029 10027fc2 23028->23029 23030 10027f9b 23028->23030 23047 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23029->23047 23046 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23030->23046 23033 10027fb8 23033->22856 23034 10027f76 23034->22856 23036 10027fe1 23036->22856 23038 1001006f 23037->23038 23039 100283f0 16 API calls 23038->23039 23040 10010097 23039->23040 23048 10028ad0 23040->23048 23042 100100cc 23055 10028b30 23042->23055 23044 10010173 23044->22862 23045->23034 23046->23033 23047->23036 23049 10028b23 23048->23049 23050 10028ae4 23048->23050 23049->23042 23050->23049 23051 10027bb0 4 API calls 23050->23051 23052 10028afa 23051->23052 23053 10028b05 strncpy 23052->23053 23054 10028b19 23052->23054 23053->23053 23053->23054 23054->23042 23056 10028b91 23055->23056 23057 10028b45 23055->23057 23056->23044 23057->23056 23058 10027bb0 4 API calls 23057->23058 23059 10028b68 23058->23059 23059->23044 23061 1001a00d 23060->23061 23076 1001a031 23061->23076 23064 1001a0ce 23065 10027f20 4 API calls 23064->23065 23066 1001a0f7 23065->23066 23091 1001a199 23066->23091 23068 1001a16d 23068->22876 23070 100280c0 4 API calls 23069->23070 23071 1000800f 23070->23071 23102 10007db8 23071->23102 23074 10008069 NtClose 23075 1000807e 23074->23075 23075->22870 23077 1001a047 23076->23077 23078 1001a0a1 23076->23078 23079 1000188f 17 API calls 23077->23079 23086 10004b1b 23078->23086 23081 1001a058 23079->23081 23090 100031b3 6 API calls 23081->23090 23082 10019f88 23082->22870 23082->23064 23084 1001a074 23085 1001a087 InterlockedExchange 23084->23085 23085->23078 23087 10004b3d 23086->23087 23088 10004b2e 23086->23088 23087->23088 23089 10004baa LdrInitializeThunk 23087->23089 23088->23082 23089->23082 23090->23084 23092 1001a1af 23091->23092 23100 1001a209 23091->23100 23094 1000188f 17 API calls 23092->23094 23093 10004b1b LdrInitializeThunk 23095 1001a22b 23093->23095 23097 1001a1c0 23094->23097 23095->23068 23101 100031b3 6 API calls 23097->23101 23098 1001a1dc 23099 1001a1ef InterlockedExchange 23098->23099 23099->23100 23100->23093 23101->23098 23103 10007dce 23102->23103 23111 10007e28 23102->23111 23104 1000188f 17 API calls 23103->23104 23107 10007ddf 23104->23107 23105 10004b1b LdrInitializeThunk 23106 10007e4a 23105->23106 23106->23074 23106->23075 23112 100031b3 6 API calls 23107->23112 23109 10007dfb 23110 10007e0e InterlockedExchange 23109->23110 23110->23111 23111->23105 23112->23109 23329 10027050 63 API calls 23384 10011753 DispatchMessageA CallWindowProcA 23333 4cc620 130 API calls 23334 1002706f 46 API calls 23390 10026d73 89 API calls 23391 10026b71 23 API calls 23393 1002572d 24 API calls 23337 10026c7b HeapAlloc 23296 4b0c30 23297 4b0c3c 23296->23297 23300 4b0c4c 23296->23300 23305 4b0d00 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 23297->23305 23299 4b0c46 23301 4b0cca RtlAllocateHeap 23300->23301 23302 4b0cbf GetProcessHeap 23300->23302 23304 4b0c54 23300->23304 23303 4b0ce1 23301->23303 23302->23301 23305->23299 23395 10026f7c 45 API calls 23340 1002708e 34 API calls 23399 10027192 60 API calls 23144 53f5cb 23147 52eebe 23144->23147 23148 52ef98 23147->23148 23149 52eeec 23147->23149 23150 52ef31 23149->23150 23151 52eef6 23149->23151 23153 52ef22 23150->23153 23167 535de4 29 API calls 23150->23167 23164 535de4 29 API calls 23151->23164 23153->23148 23154 52ef8a RtlFreeHeap 23153->23154 23154->23148 23156 52eefd 23162 52ef17 23156->23162 23165 537068 VirtualFree VirtualFree HeapFree 23156->23165 23157 52ef3d 23163 52ef69 23157->23163 23168 537def VirtualFree HeapFree VirtualFree 23157->23168 23166 52ef28 LeaveCriticalSection 23162->23166 23169 52ef80 LeaveCriticalSection 23163->23169 23164->23156 23165->23162 23166->23153 23167->23157 23168->23163 23169->23153 23402 10026f9b 23 API calls 23343 10026e99 90 API calls 23346 100274b1 10 API calls 23348 1002a472 __CxxFrameHandler 23349 10026eb8 91 API calls 23350 10026cb9 23 API calls 23353 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23410 10026dc5 31 API calls 23354 548a9d 65 API calls __EH_prolog 23413 10026bd6 25 API calls 23357 100270d8 28 API calls 23358 10026cd8 22 API calls 23360 4cc890 HeapFree 23416 10026de4 85 API calls 22610 4cc2a0 22613 4cc280 22610->22613 22616 4c3fd0 22613->22616 22615 4cc291 22617 4c3ffb 22616->22617 22618 4c4093 22616->22618 22620 4c4023 GetProcAddress 22617->22620 22621 4c401a 22617->22621 22619 4c432c 22618->22619 22622 4c40c1 22618->22622 22697 52e338 6 API calls 22618->22697 22619->22615 22626 4c4076 22620->22626 22627 4c4043 22620->22627 22693 52e338 6 API calls 22621->22693 22635 4c41ff 22622->22635 22638 4c40ec 22622->22638 22696 4c3fb0 35 API calls 22626->22696 22694 4cd760 37 API calls 22627->22694 22630 4c4204 LoadLibraryA 22633 4c4214 GetProcAddress 22630->22633 22630->22635 22631 4c4053 22695 4c43a0 130 API calls 22631->22695 22632 4c407d 22632->22615 22633->22635 22635->22630 22639 4c425a 22635->22639 22641 4c4246 FreeLibrary 22635->22641 22636 4c4065 22642 53f861 32 API calls 22636->22642 22637 4c41ca LoadLibraryA 22637->22639 22640 4c41d7 GetProcAddress 22637->22640 22638->22637 22643 4c4118 22638->22643 22644 4c4140 22638->22644 22639->22619 22645 4c426f FreeLibrary 22639->22645 22646 4c4276 22639->22646 22640->22639 22648 4c41e7 22640->22648 22641->22635 22642->22626 22649 53faaa 38 API calls 22643->22649 22678 53faaa 22644->22678 22645->22646 22655 4c42da 22646->22655 22656 4c4287 22646->22656 22648->22639 22651 4c4124 LoadLibraryA 22649->22651 22653 53f861 32 API calls 22651->22653 22652 53faaa 38 API calls 22657 4c416a LoadLibraryA 22652->22657 22654 4c4134 22653->22654 22654->22640 22654->22644 22700 4cd760 37 API calls 22655->22700 22698 4cd760 37 API calls 22656->22698 22688 53f861 22657->22688 22661 4c429c 22699 4c43a0 130 API calls 22661->22699 22663 4c42ee 22701 4c43a0 130 API calls 22663->22701 22665 53f861 32 API calls 22668 4c418b 22665->22668 22667 4c42b3 22671 53f861 32 API calls 22667->22671 22668->22640 22674 4c41c2 22668->22674 22675 53faaa 38 API calls 22668->22675 22669 4c4305 22670 53f861 32 API calls 22669->22670 22672 4c4316 22670->22672 22673 4c42c4 22671->22673 22672->22615 22673->22615 22674->22637 22674->22640 22676 4c41b2 LoadLibraryA 22675->22676 22677 53f861 32 API calls 22676->22677 22677->22674 22679 53fab4 __EH_prolog 22678->22679 22680 53fad3 lstrlenA 22679->22680 22681 53facf 22679->22681 22680->22681 22702 53fa06 22681->22702 22683 53faf1 22706 53f5d6 22683->22706 22686 53f861 32 API calls 22687 4c4156 22686->22687 22687->22652 22689 53f871 InterlockedDecrement 22688->22689 22690 4c417a 22688->22690 22689->22690 22691 53f87f 22689->22691 22690->22665 22729 53f750 31 API calls 22691->22729 22693->22620 22694->22631 22695->22636 22696->22632 22697->22622 22698->22661 22699->22667 22700->22663 22701->22669 22703 53fa1a 22702->22703 22704 53fa20 22702->22704 22711 53f6ce 22703->22711 22704->22683 22707 53f5f3 22706->22707 22708 53f5e5 InterlockedIncrement 22706->22708 22728 53f99e 35 API calls 22707->22728 22709 53f603 22708->22709 22709->22686 22712 53f6da 22711->22712 22714 53f6e3 22711->22714 22712->22704 22713 53f6eb 22718 52d52c 22713->22718 22714->22713 22716 53f72a 22714->22716 22725 53f5a2 29 API calls 22716->22725 22726 530f14 22718->22726 22720 52d536 EnterCriticalSection 22721 52d554 22720->22721 22722 52d585 LeaveCriticalSection 22720->22722 22727 53f08b 29 API calls 22721->22727 22722->22712 22724 52d566 22724->22722 22725->22712 22726->22720 22727->22724 22728->22709 22729->22690 23420 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 23421 100293f0 ??3@YAXPAX 23365 10026ef6 76 API calls 23113 52efa7 23116 52efb9 23113->23116 23117 52efb6 23116->23117 23119 52efc0 23116->23119 23119->23117 23120 52efe5 23119->23120 23121 52f012 23120->23121 23124 52f055 23120->23124 23127 52f040 23121->23127 23138 535de4 29 API calls 23121->23138 23123 52f0c4 RtlAllocateHeap 23134 52f047 23123->23134 23126 52f077 23124->23126 23124->23127 23125 52f028 23139 537391 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 23125->23139 23141 535de4 29 API calls 23126->23141 23127->23123 23127->23134 23129 52f033 23140 52f04c LeaveCriticalSection 23129->23140 23132 52f07e 23142 537e34 6 API calls 23132->23142 23134->23119 23135 52f091 23143 52f0ab LeaveCriticalSection 23135->23143 23137 52f09e 23137->23127 23137->23134 23138->23125 23139->23129 23140->23127 23141->23132 23142->23135 23143->23137 23366 10026cf7 43 API calls 23170 52d6a8 GetVersion 23202 533728 HeapCreate 23170->23202 23172 52d706 23173 52d713 23172->23173 23174 52d70b 23172->23174 23214 5334e5 37 API calls 23173->23214 23222 52d7d5 8 API calls 23174->23222 23178 52d718 23179 52d724 23178->23179 23180 52d71c 23178->23180 23215 533329 34 API calls 23179->23215 23223 52d7d5 8 API calls 23180->23223 23184 52d72e GetCommandLineA 23216 5331f7 37 API calls 23184->23216 23186 52d73e 23224 532faa 49 API calls 23186->23224 23188 52d748 23217 532ef1 48 API calls 23188->23217 23190 52d74d 23191 52d752 GetStartupInfoA 23190->23191 23218 532e99 48 API calls 23191->23218 23193 52d764 23194 52d76d 23193->23194 23195 52d776 GetModuleHandleA 23194->23195 23219 53d00e 23195->23219 23199 52d791 23226 532d21 36 API calls 23199->23226 23201 52d7a2 23203 533748 23202->23203 23204 53377e 23202->23204 23227 5335e0 57 API calls 23203->23227 23204->23172 23206 53374d 23207 533757 23206->23207 23208 533764 23206->23208 23228 536ff5 HeapAlloc 23207->23228 23210 533781 23208->23210 23229 537b3c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 23208->23229 23210->23172 23212 533761 23212->23210 23213 533772 HeapDestroy 23212->23213 23213->23204 23214->23178 23215->23184 23216->23186 23217->23190 23218->23193 23230 54586b 23219->23230 23224->23188 23225 531e54 32 API calls 23225->23199 23226->23201 23227->23206 23228->23212 23229->23212 23231 5445cc 65 API calls 23230->23231 23232 545876 23231->23232 23233 54919f 65 API calls 23232->23233 23234 54587d 23233->23234 23241 549ff0 SetErrorMode SetErrorMode 23234->23241 23238 52d788 23238->23225 23239 5458b2 23252 54a8af 68 API calls 23239->23252 23240 53f6ce 31 API calls 23240->23239 23242 54919f 65 API calls 23241->23242 23243 54a007 23242->23243 23244 54919f 65 API calls 23243->23244 23245 54a016 23244->23245 23246 54a03c 23245->23246 23253 54a053 23245->23253 23247 54919f 65 API calls 23246->23247 23249 54a041 23247->23249 23250 545895 23249->23250 23272 5445e1 23249->23272 23250->23239 23250->23240 23252->23238 23254 54919f 65 API calls 23253->23254 23255 54a066 GetModuleFileNameA 23254->23255 23283 52f677 29 API calls 23255->23283 23257 54a098 23284 54a170 lstrlenA lstrcpynA 23257->23284 23259 54a0b4 23260 54a0ca 23259->23260 23289 531dfc 29 API calls 23259->23289 23271 54a104 23260->23271 23285 545151 23260->23285 23263 54a11c lstrcpyA 23291 531dfc 29 API calls 23263->23291 23264 54a137 23265 54a146 lstrcatA 23264->23265 23269 54a164 23264->23269 23292 531dfc 29 API calls 23265->23292 23269->23246 23271->23263 23271->23264 23273 54919f 65 API calls 23272->23273 23274 5445e6 23273->23274 23282 54463e 23274->23282 23293 548f68 23274->23293 23277 5497bc 7 API calls 23278 54461c 23277->23278 23279 54919f 65 API calls 23278->23279 23281 544629 23278->23281 23279->23281 23280 549727 65 API calls 23280->23282 23281->23280 23282->23250 23283->23257 23284->23259 23286 54919f 65 API calls 23285->23286 23287 545157 LoadStringA 23286->23287 23288 545172 23287->23288 23290 531dfc 29 API calls 23288->23290 23289->23260 23290->23271 23291->23264 23292->23269 23294 549727 65 API calls 23293->23294 23295 5445f2 GetCurrentThreadId SetWindowsHookExA 23294->23295 23295->23277

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 228 4c3fd0-4c3ff5 229 4c3ffb-4c4006 228->229 230 4c4093-4c40a2 228->230 231 4c4008-4c4012 229->231 232 4c4015-4c4018 229->232 233 4c434f-4c4360 230->233 234 4c40a8-4c40b8 230->234 231->232 235 4c402d 232->235 236 4c401a-4c402b call 52e338 232->236 237 4c40c9-4c40e6 call 4b15d0 234->237 238 4c40ba-4c40c4 call 52e338 234->238 241 4c402f-4c4041 GetProcAddress 235->241 236->241 249 4c40ec-4c40ff call 52f350 237->249 250 4c41ff 237->250 238->237 245 4c4076-4c4090 call 4c3fb0 241->245 246 4c4043-4c4071 call 4cd760 call 4c43a0 call 53f861 241->246 246->245 263 4c41ca-4c41d1 LoadLibraryA 249->263 264 4c4105-4c4116 249->264 252 4c4204-4c4212 LoadLibraryA 250->252 256 4c424f-4c4258 252->256 257 4c4214-4c4222 GetProcAddress 252->257 256->252 265 4c425a-4c4265 256->265 260 4c423a-4c4244 257->260 261 4c4224-4c422f 257->261 260->265 268 4c4246-4c424d FreeLibrary 260->268 261->260 267 4c4231-4c4237 261->267 263->265 266 4c41d7-4c41e5 GetProcAddress 263->266 270 4c4118-4c4136 call 53faaa LoadLibraryA call 53f861 264->270 271 4c4140-4c418d call 53faaa * 2 LoadLibraryA call 53f861 * 2 264->271 272 4c432c-4c432e 265->272 273 4c426b-4c426d 265->273 266->265 279 4c41e7-4c41f2 266->279 267->260 268->256 270->266 293 4c413c 270->293 271->266 308 4c418f-4c41a0 271->308 277 4c4346-4c434c 272->277 278 4c4330-4c433b 272->278 274 4c426f-4c4270 FreeLibrary 273->274 275 4c4276-4c4285 call 4b15d0 273->275 274->275 290 4c42da-4c4329 call 4cd760 call 4c43a0 call 53f861 275->290 291 4c4287-4c42d7 call 4cd760 call 4c43a0 call 53f861 275->291 277->233 278->277 283 4c433d-4c4343 278->283 279->265 284 4c41f4-4c41fd 279->284 283->277 284->265 293->271 311 4c41c2-4c41c4 308->311 312 4c41a2-4c41bd call 53faaa LoadLibraryA call 53f861 308->312 311->266 313 4c41c6 311->313 312->311 313->263
                  APIs
                  • GetProcAddress.KERNEL32(00000000,007E95F4), ref: 004C4037
                  • LoadLibraryA.KERNEL32(?,?,007F9FD8), ref: 004C4127
                  • LoadLibraryA.KERNEL32(?,?), ref: 004C416D
                  • LoadLibraryA.KERNEL32(?,?,007F9EE0,00000001), ref: 004C41B5
                  • LoadLibraryA.KERNEL32(00000001), ref: 004C41CB
                  • GetProcAddress.KERNEL32(00000000,?), ref: 004C41DD
                  • FreeLibrary.KERNEL32(00000000), ref: 004C4270
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Library$Load$AddressProc$Free
                  • String ID:
                  • API String ID: 3120990465-0
                  • Opcode ID: 7d23c86e5f4d8fdc60b7376af7fe00b9b921ff9eb7a82e5f92403be5a2653610
                  • Instruction ID: 0d97a38ab59ea2454446a38efc438f5ac4c2006ed55e6cbcbc5fa747bc10463a
                  • Opcode Fuzzy Hash: 7d23c86e5f4d8fdc60b7376af7fe00b9b921ff9eb7a82e5f92403be5a2653610
                  • Instruction Fuzzy Hash: 98A1EEB5A00702ABC714DF65C895FABB3A8BFD8314F044A2EF95587341DB38E9058B96

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 753 100193c2-10019472 call 1002748d * 3 call 100294c0 762 10019474-1001947a call 10027487 753->762 763 1001947d-1001949e CopyFileA 753->763 762->763 765 100194a0-100194b4 call 10027499 763->765 766 100194b7-100194c3 763->766 765->766 769 100194c5 766->769 770 100194ca-100194e9 call 10028d40 766->770 769->770 774 100194f4-10019504 770->774 775 100194eb-100194f1 call 10027487 770->775 776 10019506 774->776 777 1001950b-10019525 call 10028000 774->777 775->774 776->777 782 1001952b-10019539 777->782 783 1001956e-10019586 call 1000241a 777->783 785 10019540-1001955f call 10028d40 782->785 786 1001953b 782->786 789 10019588 783->789 790 1001958d-100195b5 call 10028e50 call 10006495 783->790 793 10019561-10019567 call 10027487 785->793 794 1001956a-1001956b 785->794 786->785 789->790 800 100195d6 790->800 801 100195bb-100195c9 790->801 793->794 794->783 803 100195db-100195dd 800->803 801->800 802 100195cf-100195d4 801->802 802->803 804 100195e3-1001960c RtlAllocateHeap 803->804 805 10019832-10019840 803->805 807 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 804->807 808 1001960e-10019622 call 10027499 804->808 810 10019842-10019848 call 10027487 805->810 811 1001984b-10019850 805->811 839 10019689-10019691 807->839 808->807 810->811 815 10019852-10019858 call 10027487 811->815 816 1001985b-10019882 call 10027487 * 2 811->816 815->816 830 10019895 816->830 831 10019884 816->831 833 1001989b-100198bb call 10027487 * 2 830->833 834 100198bd-100198c9 call 10027487 830->834 832 10019886-1001988a 831->832 836 10019891-10019893 832->836 837 1001988c-1001988f 832->837 833->834 836->830 837->832 842 10019822-1001982d call 100094fb 839->842 843 10019697-100196a5 call 10001000 839->843 842->805 850 100196a7-100196bb call 10027499 843->850 851 100196be-100196c2 843->851 850->851 852 100196c4-100196d8 call 10027499 851->852 853 100196db-10019736 call 10001b27 call 10001000 851->853 852->853 862 10019738-1001974c call 10027499 853->862 863 1001974f-10019753 853->863 862->863 865 10019755-10019769 call 10027499 863->865 866 1001976c-100197c7 call 10001b27 call 10001000 863->866 865->866 874 100197e0-100197e4 866->874 875 100197c9-100197dd call 10027499 866->875 877 100197e6-100197fa call 10027499 874->877 878 100197fd-1001981d call 10007b67 874->878 875->874 877->878 878->839
                  APIs
                    • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                    • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                    • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                    • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                  • String ID: @
                  • API String ID: 183890193-2766056989
                  • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                  • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                  • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                  • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 899 1000710e-10007271 call 1002748d * 5 GetVersionExA 910 10007273-10007287 call 10027499 899->910 911 1000728a-100072e2 call 10027ca0 899->911 910->911 916 100072f3-100072f9 911->916 917 100072e4 911->917 919 10007300-1000734b call 10027487 916->919 920 100072fb 916->920 918 100072e6-100072ea 917->918 921 100072f1 918->921 922 100072ec-100072ef 918->922 925 10007351-100073f3 call 1002748d GetSystemInfo 919->925 926 100077ad-100077b2 919->926 920->919 921->916 922->918 931 100073f5-10007409 call 10027499 925->931 932 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 925->932 928 100077b7-100077f1 call 10027487 * 4 926->928 931->932 940 100074c6-100074da call 10027499 932->940 941 100074dd-10007520 932->941 940->941 944 10007552-10007556 941->944 945 10007526-1000752a 941->945 947 10007630-10007634 944->947 948 1000755c-10007560 944->948 950 10007530-10007534 945->950 951 1000754d 945->951 957 1000778a-1000778e 947->957 958 1000763a-1000763e 947->958 955 10007591-10007595 948->955 956 10007566-10007574 948->956 959 10007546 950->959 960 1000753a-10007541 950->960 954 100077a5-100077a8 951->954 954->928 964 100075c6-100075ca 955->964 965 1000759b-100075a9 955->965 961 10007584 956->961 962 1000757a-1000757f 956->962 957->954 963 10007794-10007798 957->963 966 10007650-10007654 958->966 967 10007644-1000764b 958->967 959->951 960->951 968 10007589-1000758c 961->968 962->968 963->954 969 1000779e 963->969 974 100075d0-100075de 964->974 975 100075fb-100075ff 964->975 970 100075b9 965->970 971 100075af-100075b4 965->971 972 10007785 966->972 973 1000765a-1000766f 966->973 967->972 977 1000762b 968->977 969->954 978 100075be-100075c1 970->978 971->978 972->954 986 10007671-10007685 call 10027499 973->986 987 10007688-1000768f 973->987 979 100075e4-100075e9 974->979 980 100075ee 974->980 976 10007605-10007613 975->976 975->977 982 10007623 976->982 983 10007619-1000761e 976->983 977->954 978->977 981 100075f3-100075f6 979->981 980->981 981->977 985 10007628 982->985 983->985 985->977 986->987 988 100076a1-100076a5 987->988 989 10007695-1000769c 987->989 992 100076c7 988->992 993 100076ab-100076ba 988->993 989->972 995 100076cc-100076ce 992->995 993->992 994 100076c0-100076c5 993->994 994->995 996 100076e0-1000771d call 10028950 995->996 997 100076d4-100076db 995->997 1000 10007723-1000772a 996->1000 1001 1000772f-1000776c call 10028950 996->1001 997->972 1000->972 1004 10007772-10007779 1001->1004 1005 1000777e 1001->1005 1004->972 1005->972
                  APIs
                  • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                  • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                  • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Version$InfoNumbersSystem
                  • String ID:
                  • API String ID: 995872648-0
                  • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                  • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                  • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                  • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1047 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1053 10018b23-10018b37 call 10027499 1047->1053 1054 10018b3a-10018b5e HeapCreate 1047->1054 1053->1054 1055 10018b60-10018b74 call 10027499 1054->1055 1056 10018b77-10018b8e call 10001000 1054->1056 1055->1056 1063 10018b90-10018ba4 call 10027499 1056->1063 1064 10018ba7-10018bc8 call 1000188f 1056->1064 1063->1064 1069 10018bd3-10018be4 call 1000b61e 1064->1069 1070 10018bca-10018bd0 call 10027487 1064->1070 1075 10018be6-10018bec call 10027487 1069->1075 1076 10018bef-10018c09 call 10001000 1069->1076 1070->1069 1075->1076 1081 10018c22-10018c43 call 1000188f 1076->1081 1082 10018c0b-10018c1f call 10027499 1076->1082 1087 10018c45-10018c4b call 10027487 1081->1087 1088 10018c4e-10018c5f call 1000b61e 1081->1088 1082->1081 1087->1088 1093 10018c61-10018c67 call 10027487 1088->1093 1094 10018c6a-10018c84 call 10001000 1088->1094 1093->1094 1099 10018c86-10018c9a call 10027499 1094->1099 1100 10018c9d-10018cbe call 1000188f 1094->1100 1099->1100 1105 10018cc0-10018cc6 call 10027487 1100->1105 1106 10018cc9-10018cda call 1000b61e 1100->1106 1105->1106 1111 10018ce5-10018cff call 10001000 1106->1111 1112 10018cdc-10018ce2 call 10027487 1106->1112 1117 10018d01-10018d15 call 10027499 1111->1117 1118 10018d18-10018d39 call 1000188f 1111->1118 1112->1111 1117->1118 1123 10018d44-10018d55 call 1000b61e 1118->1123 1124 10018d3b-10018d41 call 10027487 1118->1124 1129 10018d60-10018d7a call 10001000 1123->1129 1130 10018d57-10018d5d call 10027487 1123->1130 1124->1123 1135 10018d93-10018db4 call 1000188f 1129->1135 1136 10018d7c-10018d90 call 10027499 1129->1136 1130->1129 1141 10018db6-10018dbc call 10027487 1135->1141 1142 10018dbf-10018dd0 call 1000b61e 1135->1142 1136->1135 1141->1142 1147 10018dd2-10018dd8 call 10027487 1142->1147 1148 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1142->1148 1147->1148 1165 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1148->1165 1166 10018e4d-10018e53 call 10027487 1148->1166 1175 10018ea5-10018eab call 10027487 1165->1175 1176 10018eae-10018ec2 call 10019f4c 1165->1176 1166->1165 1175->1176 1180 10018ec7-10018ee9 call 1001a236 1176->1180
                  APIs
                    • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                  • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                  • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                    • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Create$Heap$ComputeCrc32Mutex
                  • String ID:
                  • API String ID: 3311811139-0
                  • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                  • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                  • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                  • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1185 4b0c30-4b0c3a 1186 4b0c4c-4b0c52 1185->1186 1187 4b0c3c-4b0c49 call 4b0d00 1185->1187 1189 4b0c5c-4b0c68 1186->1189 1190 4b0c54-4b0c59 1186->1190 1192 4b0c6a-4b0c70 1189->1192 1193 4b0cb6-4b0cbd 1189->1193 1192->1193 1194 4b0c72-4b0c78 1192->1194 1195 4b0cca-4b0cdf RtlAllocateHeap 1193->1195 1196 4b0cbf-4b0cc5 GetProcessHeap 1193->1196 1194->1193 1199 4b0c7a-4b0cb3 call 5138f0 1194->1199 1197 4b0ced-4b0cf6 1195->1197 1198 4b0ce1-4b0cea 1195->1198 1196->1195
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ca8975013be66042fb3ee7ceec211989a27087a098f950c7537636960121dd16
                  • Instruction ID: 2e6eb3e04c5d181b1ddf78a2676a29e2dcee82295116eba9147db19c910fd444
                  • Opcode Fuzzy Hash: ca8975013be66042fb3ee7ceec211989a27087a098f950c7537636960121dd16
                  • Instruction Fuzzy Hash: 8D211BB67007008FE724CF69D884A97B7E8EBA0356F10C92FE159C7651D775E805CB64
                  APIs
                  • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                  • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                  • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                  • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Close
                  • String ID:
                  • API String ID: 3535843008-0
                  • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                  • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                  • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                  • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91
                  APIs
                  • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                  • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                  • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                  • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                  • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                  • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                  • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a412cb7cc582790390536f66bba1ad9b535bc0482b4375160402a6d7ab277527
                  • Instruction ID: f90c4d44a6a2ff235ee0076110ec3c02696c0935a211897f1f8d26a09fd3f00a
                  • Opcode Fuzzy Hash: a412cb7cc582790390536f66bba1ad9b535bc0482b4375160402a6d7ab277527
                  • Instruction Fuzzy Hash: 3A312870D04A0DEBCF00DF95E5C5A9DBBB0FF09300F6180D1E9A46A659CB369A34DB66

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 317 5493c0-5493dd EnterCriticalSection 318 5493ec-5493f1 317->318 319 5493df-5493e6 317->319 321 5493f3-5493f6 318->321 322 54940e-549417 318->322 319->318 320 5494a5-5494a8 319->320 323 5494b0-5494d1 LeaveCriticalSection 320->323 324 5494aa-5494ad 320->324 325 5493f9-5493fc 321->325 326 54942c-549448 GlobalHandle GlobalUnlock GlobalReAlloc 322->326 327 549419-54942a GlobalAlloc 322->327 324->323 328 549406-549408 325->328 329 5493fe-549404 325->329 330 54944e-54945a 326->330 327->330 328->320 328->322 329->325 329->328 331 549477-5494a4 GlobalLock call 530fd0 330->331 332 54945c-549472 GlobalHandle GlobalLock LeaveCriticalSection call 53d8b1 330->332 331->320 332->331
                  APIs
                  • EnterCriticalSection.KERNEL32(00828AA0,00828A74,00000000,?,00828A84,00828A84,0054975B,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876,?,00000000), ref: 005493CF
                  • GlobalAlloc.KERNEL32(00002002,00000000,?,?,00828A84,00828A84,0054975B,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876,?,00000000), ref: 00549424
                  • GlobalHandle.KERNEL32(009B0D50), ref: 0054942D
                  • GlobalUnlock.KERNEL32(00000000), ref: 00549436
                  • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549448
                  • GlobalHandle.KERNEL32(009B0D50), ref: 0054945F
                  • GlobalLock.KERNEL32(00000000), ref: 00549466
                  • LeaveCriticalSection.KERNEL32(0052D788,?,?,00828A84,00828A84,0054975B,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876,?,00000000), ref: 0054946C
                  • GlobalLock.KERNEL32(00000000), ref: 0054947B
                  • LeaveCriticalSection.KERNEL32(?), ref: 005494C4
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                  • String ID:
                  • API String ID: 2667261700-0
                  • Opcode ID: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                  • Instruction ID: 0680607167dcfb51be68af9fc07181946f114734a34a74dd25a2467039290072
                  • Opcode Fuzzy Hash: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                  • Instruction Fuzzy Hash: 6B3186752007069FDB249F24DC9EA6BBBE9FB84305F014A2DF852C36A1D771E849CB10

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 470 100294c0-100294cf 471 100294d1-100294e3 GetTempPathA 470->471 472 100294eb-10029511 470->472 473 10029513-1002952c 471->473 474 100294e5-100294e9 471->474 472->473 475 10029531-1002953d 473->475 476 1002952e 473->476 474->473 477 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 475->477 476->475 477->477 478 1002956b-100295b3 call 10027bb0 477->478
                  APIs
                  • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                  • GetTickCount.KERNEL32 ref: 10029543
                  • wsprintfA.USER32 ref: 10029558
                  • PathFileExistsA.SHLWAPI(?), ref: 10029565
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Path$CountExistsFileTempTickwsprintf
                  • String ID: %s%x.tmp
                  • API String ID: 3843276195-78920241
                  • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                  • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                  • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                  • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 741 10027bb0-10027bb7 742 10027bc4-10027bd7 RtlAllocateHeap 741->742 743 10027bb9-10027bbf GetProcessHeap 741->743 744 10027bf5-10027bf8 742->744 745 10027bd9-10027bf2 MessageBoxA call 10027b10 742->745 743->742 745->744
                  APIs
                  • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                  • RtlAllocateHeap.NTDLL(009A0000,00000008,?,?,10028674), ref: 10027BCD
                  • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Heap$AllocateMessageProcess
                  • String ID: error
                  • API String ID: 2992861138-1574812785
                  • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                  • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                  • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                  • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                  Control-flow Graph

                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                  • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                    • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                    • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(009A0000,00000008,?,?,10028674), ref: 10027BCD
                    • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                  • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                  • String ID:
                  • API String ID: 749537981-0
                  • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                  • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                  • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                  • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 884 5445e1-5445ea call 54919f 887 5445ec-544617 call 548f68 GetCurrentThreadId SetWindowsHookExA call 5497bc 884->887 888 54463f 884->888 892 54461c-544622 887->892 893 544624-544629 call 54919f 892->893 894 54462f-54463e call 549727 892->894 893->894 894->888
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 005445F4
                  • SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 00544604
                    • Part of subcall function 005497BC: __EH_prolog.LIBCMT ref: 005497C1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: CurrentH_prologHookThreadWindows
                  • String ID: V`H
                  • API String ID: 2183259885-1425837005
                  • Opcode ID: 7bdb4992812b9603d92ce55cf3757991eafd4ebacac900e4ddfae643f0de77b5
                  • Instruction ID: 6703cd5c35d67480fc66cfaacd7600fc8725dd8c5455f0883ca78f17e6e9ae7e
                  • Opcode Fuzzy Hash: 7bdb4992812b9603d92ce55cf3757991eafd4ebacac900e4ddfae643f0de77b5
                  • Instruction Fuzzy Hash: CAF03031980352BFCB643BB0AD0EBEA7E50BB42729F05165CB161AB5E1DE705C84DB51

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1006 4c3950-4c3963 1007 4c3967-4c396b 1006->1007 1008 4c3a2f-4c3a36 1007->1008 1009 4c3971 1007->1009 1010 4c3a3e-4c3a47 1008->1010 1011 4c3a38-4c3a3c 1008->1011 1012 4c3974-4c3981 PeekMessageA 1009->1012 1013 4c3a85-4c3a8c 1010->1013 1018 4c3a49-4c3a4c 1010->1018 1011->1010 1011->1013 1012->1008 1014 4c3987-4c3991 1012->1014 1016 4c39fb-4c3a10 1014->1016 1017 4c3993-4c399a 1014->1017 1025 4c3a16-4c3a1b 1016->1025 1026 4c3a12 1016->1026 1019 4c399d-4c39af IsWindow 1017->1019 1020 4c3a4e-4c3a54 1018->1020 1021 4c3a56-4c3a63 1018->1021 1023 4c39dd-4c39f0 1019->1023 1024 4c39b1-4c39db call 4b1500 * 3 1019->1024 1020->1013 1020->1021 1034 4c3a65-4c3a6d 1021->1034 1035 4c3a71-4c3a7e PeekMessageA 1021->1035 1033 4c39f3-4c39f7 1023->1033 1024->1033 1030 4c3a1d-4c3a23 1025->1030 1031 4c3a25-4c3a29 1025->1031 1026->1025 1030->1013 1030->1031 1031->1008 1031->1012 1033->1019 1038 4c39f9 1033->1038 1034->1035 1035->1008 1039 4c3a80 1035->1039 1038->1016 1039->1007
                  APIs
                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C3979
                  • IsWindow.USER32 ref: 004C39A7
                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C3A76
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: MessagePeek$Window
                  • String ID:
                  • API String ID: 1210580970-0
                  • Opcode ID: 8614e92ee3792c5e0f4a1698ca8b3bdd5d9b1a0d60cc895be9ec4b9491304137
                  • Instruction ID: 2ab727ec16f486c5603cac7579aa4e0c9ad3d80b41b1900d28bddc0447c3a321
                  • Opcode Fuzzy Hash: 8614e92ee3792c5e0f4a1698ca8b3bdd5d9b1a0d60cc895be9ec4b9491304137
                  • Instruction Fuzzy Hash: 6D3190B5700206AFD754DF24D884FBBB3A8FF4534AF40412EE95583250D779EE28CAA6

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1042 10027c00-10027c07 1043 10027c14-10027c1a 1042->1043 1044 10027c09-10027c0f GetProcessHeap 1042->1044 1045 10027c2c-10027c3a HeapAlloc 1043->1045 1046 10027c1c-10027c2b RtlReAllocateHeap 1043->1046 1044->1043
                  APIs
                  • GetProcessHeap.KERNEL32 ref: 10027C09
                  • RtlReAllocateHeap.NTDLL(009A0000,00000000,?,?), ref: 10027C25
                  • HeapAlloc.KERNEL32(009A0000,00000008,?), ref: 10027C34
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Heap$AllocAllocateProcess
                  • String ID:
                  • API String ID: 884036251-0
                  • Opcode ID: 9efcff9902125281ec9a09c9c023dba4db312c3c708ccaee2e786fbb41110ba0
                  • Instruction ID: b241cba4319a201032bf577b7fc9e17535b267b67f28049859b449165823abc2
                  • Opcode Fuzzy Hash: 9efcff9902125281ec9a09c9c023dba4db312c3c708ccaee2e786fbb41110ba0
                  • Instruction Fuzzy Hash: 64E092B4701611AFEF14DB60DE89B2BB7A9EB85B41F20491CF649C6160DA74A841DB21
                  APIs
                  • SetErrorMode.KERNEL32(00000000,00000000,00545895,00000000,00000000,00000000,00000000,?,00000000,?,0053D023,00000000,00000000,00000000,00000000,0052D788), ref: 00549FF9
                  • SetErrorMode.KERNEL32(00000000,?,00000000,?,0053D023,00000000,00000000,00000000,00000000,0052D788,00000000), ref: 0054A000
                    • Part of subcall function 0054A053: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A084
                    • Part of subcall function 0054A053: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A125
                    • Part of subcall function 0054A053: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A152
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                  • String ID:
                  • API String ID: 3389432936-0
                  • Opcode ID: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
                  • Instruction ID: c4c3ab3275c8eb14d5ae32abcb23d0482c2f86857849692c857bd89a7c3249ea
                  • Opcode Fuzzy Hash: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
                  • Instruction Fuzzy Hash: 82F08770A442129FCB14FF20C449B8A3FA4BF84310F01848AB4488B3A2CB70D840CB52
                  APIs
                  • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C3AA7
                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C3ACD
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: MessagePeek
                  • String ID:
                  • API String ID: 2222842502-0
                  • Opcode ID: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                  • Instruction ID: e12696abd107ecee3b6de49d5429ec05dbec5f9555e77b60db8d8df6ed79d70d
                  • Opcode Fuzzy Hash: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                  • Instruction Fuzzy Hash: B5F09B35740312BBFB20EBA48C06F5737586F84B01F54445AF741AB1D0E6B4F5058BA9
                  APIs
                  • HeapCreate.KERNEL32(00000000,00001000,00000000,0052D706,00000001), ref: 00533739
                    • Part of subcall function 005335E0: GetVersionExA.KERNEL32 ref: 005335FF
                  • HeapDestroy.KERNEL32 ref: 00533778
                    • Part of subcall function 00536FF5: HeapAlloc.KERNEL32(00000000,00000140,00533761,000003F8), ref: 00537002
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Heap$AllocCreateDestroyVersion
                  • String ID:
                  • API String ID: 2507506473-0
                  • Opcode ID: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
                  • Instruction ID: 299e96f16654292e717742aaca72f32221ee5cbc430f404e8471a118c5d38c14
                  • Opcode Fuzzy Hash: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
                  • Instruction Fuzzy Hash: 23F06DF0A54302AAEB306B74AD5A7792F90FB90B82F20883AF400C90F4EA608781D651
                  APIs
                  • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                  • RtlFreeHeap.NTDLL(009A0000,00000000,00000000), ref: 10027C80
                    • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: FreeHandleHeapModuleRead
                  • String ID:
                  • API String ID: 627478288-0
                  • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                  • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                  • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                  • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F0CC
                    • Part of subcall function 00535DE4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 00535E21
                    • Part of subcall function 00535DE4: EnterCriticalSection.KERNEL32(?,?,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 00535E3C
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: CriticalSection$AllocateEnterHeapInitialize
                  • String ID:
                  • API String ID: 1616793339-0
                  • Opcode ID: 5ecf1b54963c016b0c85aac6aed190ffb886ae195f8cb63037d802d6b0ecda44
                  • Instruction ID: db2fee421973880d84c7cdcddfe3e6a2e3f7ef9d9045ce6f5b3cde708dec6291
                  • Opcode Fuzzy Hash: 5ecf1b54963c016b0c85aac6aed190ffb886ae195f8cb63037d802d6b0ecda44
                  • Instruction Fuzzy Hash: C2217132A00225ABDB20EB65FD4ABAD7F74FF01720F144535F512EB1C2D77499418B94
                  APIs
                  • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074), ref: 0052EF92
                    • Part of subcall function 00535DE4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 00535E21
                    • Part of subcall function 00535DE4: EnterCriticalSection.KERNEL32(?,?,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 00535E3C
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterFreeHeapInitialize
                  • String ID:
                  • API String ID: 641406236-0
                  • Opcode ID: 6f2368d0bb27c775a05c4f216ad3a2ab4d8473f09d67f72acea001f58ce6d957
                  • Instruction ID: 565555db2da22e1ed14eccdc1ab700e75b48eeefff4ebff80a849c763760e29c
                  • Opcode Fuzzy Hash: 6f2368d0bb27c775a05c4f216ad3a2ab4d8473f09d67f72acea001f58ce6d957
                  • Instruction Fuzzy Hash: CA219272D0561AABDF25DB94ED0BBAE7F78FF06720F240629F414B61C0D7349940CAA1
                  APIs
                  • LoadStringA.USER32(?,?,?,?), ref: 00545168
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: LoadString
                  • String ID:
                  • API String ID: 2948472770-0
                  • Opcode ID: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
                  • Instruction ID: 08fb04d2d79f514444bb58c00174978d5c860b2d23caccf5b1b06e8bd03619f6
                  • Opcode Fuzzy Hash: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
                  • Instruction Fuzzy Hash: 94D0A772108363ABC711DF608808DCFBFA8BF54310B050C0DF48843111D320C804CB61
                  APIs
                  • ShowWindow.USER32(?,?,004C05FC,00000000), ref: 00543C48
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: ShowWindow
                  • String ID:
                  • API String ID: 1268545403-0
                  • Opcode ID: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                  • Instruction ID: f777d452e94a7aa5c769602382ac00d8f3328d29531e7a0e4ff5638ee9210a33
                  • Opcode Fuzzy Hash: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                  • Instruction Fuzzy Hash: 08D0C931304210EFCF058F60CA88A5ABBB2BF94709F209968F54AEA175D732DD12FB41
                  APIs
                  • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: DeleteFile
                  • String ID:
                  • API String ID: 4033686569-0
                  • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                  • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                  • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                  • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                  APIs
                  • IsWindow.USER32(00000000), ref: 1001F57C
                  • IsIconic.USER32(00000000), ref: 1001F86F
                  • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001F8D4
                  • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001FE93
                  • GetWindowInfo.USER32(00000000,00000000), ref: 1001FFE2
                  • GetWindowRect.USER32(00000000,?), ref: 100201EB
                  • CreateCompatibleDC.GDI32(00000000), ref: 100205D5
                  • CreateDIBSection.GDI32(00000000,00000000,00000000,00000000), ref: 100206C0
                  • SelectObject.GDI32(00000000,00000000), ref: 10020798
                  • CreateCompatibleDC.GDI32(00000000), ref: 100207D7
                  • SelectObject.GDI32(00000000,00000000), ref: 1002086C
                  • PrintWindow.USER32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,-00000004), ref: 100208A9
                  • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 1002091B
                  • SelectObject.GDI32(00000000,00000000), ref: 10020ADE
                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10020CB4
                    • Part of subcall function 10028090: _CIfmod.MSVCRT(?,?,?,1000197A,00000002,?,?,80000601,00000000,40140000,80000601,00000000,00000000,00000001), ref: 100280A8
                    • Part of subcall function 10002461: HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Window$CreateObjectSelect$Compatible$AllocBitsHeapIconicIfmodInfoPrintRectSection
                  • String ID:
                  • API String ID: 3140154463-0
                  • Opcode ID: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                  • Instruction ID: ea048d8ca86424f245eedfb131be0975fd1a5b6ab4dedd9bad29979357843bcf
                  • Opcode Fuzzy Hash: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                  • Instruction Fuzzy Hash: CB13F3B0A40329DBEF20CF54DCC1B99BBB1FF19314F5440A4E648AB241D775AAA4DF25
                  APIs
                  • PathFindFileNameA.SHLWAPI(00000000), ref: 100143A7
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: FileFindNamePath
                  • String ID:
                  • API String ID: 1422272338-0
                  • Opcode ID: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                  • Instruction ID: 6aa6a69dd7cd03d5bb48bed33b8f4d969fd18b6c87b19858859c797241170964
                  • Opcode Fuzzy Hash: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                  • Instruction Fuzzy Hash: 6A8276B5E40309ABEB10DFD0DC82F9E77B4EF14741F550025F608BE291EBB2AA558B52
                  APIs
                  • IsIconic.USER32(?), ref: 004CBF7C
                  • IsZoomed.USER32(?), ref: 004CBF8A
                  • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CBFB4
                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CBFC7
                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CBFD5
                  • FreeLibrary.KERNEL32(00000000), ref: 004CC00B
                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CC021
                  • IsWindow.USER32(?), ref: 004CC04E
                  • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC05B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                  • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                  • API String ID: 447426925-661446951
                  • Opcode ID: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
                  • Instruction ID: 3cf2cf9bae796266a4a17546086da5d32a5959a1fc1a250dd2576f727e63055a
                  • Opcode Fuzzy Hash: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
                  • Instruction Fuzzy Hash: 73318275700302AFDB109FA5CC99F2B77A8EF94B45F04441DFA05A7290DB78DC098B65
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 004C4BA5
                  • IsWindow.USER32(0001046C), ref: 004C4BC1
                  • SendMessageA.USER32(0001046C,000083E7,?,00000000), ref: 004C4BDA
                  • ExitProcess.KERNEL32 ref: 004C4BEF
                  • FreeLibrary.KERNEL32(?), ref: 004C4CD3
                  • FreeLibrary.KERNEL32 ref: 004C4D27
                  • DestroyIcon.USER32(00000000), ref: 004C4D77
                  • DestroyIcon.USER32(00000000), ref: 004C4D8E
                  • IsWindow.USER32(0001046C), ref: 004C4DA5
                  • DestroyIcon.USER32(?,00000001,00000000,000000FF), ref: 004C4E54
                  • WSACleanup.WS2_32 ref: 004C4E9F
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
                  • String ID:
                  • API String ID: 3816745216-0
                  • Opcode ID: 25edd08f1e9c690ea24ebfe1139d1032976e66bea48292edacc3f9f9a8627384
                  • Instruction ID: 4abd550a67737e399eee1ccdead647fb92e3e054953a74e19813a7668393c190
                  • Opcode Fuzzy Hash: 25edd08f1e9c690ea24ebfe1139d1032976e66bea48292edacc3f9f9a8627384
                  • Instruction Fuzzy Hash: 5FB19A786007029BC764DF65CAE5FABB7E5BF88301F00492EE5AA87391DB34B941CB54
                  APIs
                  • InterlockedExchange.KERNEL32(1002D459,?), ref: 1000C917
                  • InterlockedExchange.KERNEL32(1002D45D,?), ref: 1000C9CE
                  • InterlockedExchange.KERNEL32(1002D461,?), ref: 1000CA85
                  • InterlockedExchange.KERNEL32(1002D465,?), ref: 1000CB3C
                  • InterlockedExchange.KERNEL32(1002D469,?), ref: 1000CBF3
                  • InterlockedExchange.KERNEL32(1002D455,?), ref: 1000CCAA
                    • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                  • GetWindowThreadProcessId.USER32(1000C613,00000000), ref: 1000CCFD
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked$CodeProcessThreadWindow
                  • String ID:
                  • API String ID: 1323220708-0
                  • Opcode ID: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                  • Instruction ID: 2b64659c084c5c153bef61b4d063f84a8c6e811bd728d09e8d095ab07dd3c45c
                  • Opcode Fuzzy Hash: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                  • Instruction Fuzzy Hash: AF5308B5E00348ABEF11DFD4DC82FADBBB5EF08344F540029FA04BA296D7B669548B15
                  APIs
                  • GetWindowRect.USER32(00000001,00000001), ref: 1002140D
                  • GetDCEx.USER32(00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100218AD
                  • CreateCompatibleDC.GDI32(00000000), ref: 100218DC
                  • SelectObject.GDI32(00000000,00000000), ref: 1002195D
                  • PrintWindow.USER32(00000001,00000000,00000000), ref: 10021994
                  • GetObjectA.GDI32(00000000,00000018,00000000), ref: 10021A33
                  • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10021CA1
                  • SelectObject.GDI32(00000000,00000000), ref: 100220CA
                  • ReleaseDC.USER32(00000000,00000000), ref: 10022153
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Object$SelectWindow$BitsCompatibleCreatePrintRectRelease
                  • String ID:
                  • API String ID: 2343085801-0
                  • Opcode ID: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                  • Instruction ID: af8189180e66b16a91b6480abd6d1d91958fea63da9546105489bf86ff406ccc
                  • Opcode Fuzzy Hash: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                  • Instruction Fuzzy Hash: A7A2BCB4E40359ABEF10CF94DC81B9DBBB1FF09304F604064EA09AB295D3B56965CB26
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3f1dde633430918e768b13b2a51082457de319ad1036b8f354e00769dc93de80
                  • Instruction ID: 5b7b81fa37cde402e8267c89ee9e0b2fabe8804c4468255297996b493a73f6a0
                  • Opcode Fuzzy Hash: 3f1dde633430918e768b13b2a51082457de319ad1036b8f354e00769dc93de80
                  • Instruction Fuzzy Hash: 5C62D0796043419BC764DF25C880F6BB7E5EFC4318F15892EE98A97341DB38E805CB6A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID: ?$\$\REGISTRY\MACHINE$\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT$\REGISTRY\USER$_Classes
                  • API String ID: 0-1655980394
                  • Opcode ID: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                  • Instruction ID: cfee4882955295f256346ab5d35a508912345f973a0f1410f6445f43bbb6ad63
                  • Opcode Fuzzy Hash: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                  • Instruction Fuzzy Hash: 379124B5E00209EFDF40DFD4DD85BAE7BB8FF18240F604429E60DAA241D7759B849B62
                  APIs
                  • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: FileUnmapView
                  • String ID:
                  • API String ID: 2564024751-0
                  • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                  • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                  • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                  • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                  APIs
                  • GetDC.USER32(00000000), ref: 1001A976
                  • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                  • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                  • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ObjectSelect$Release
                  • String ID:
                  • API String ID: 3581861777-0
                  • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                  • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                  • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                  • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                  APIs
                  • GetWindow.USER32(?,00000005), ref: 1001A773
                  • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                  • GetWindow.USER32(00000000,00000002), ref: 1001A872
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Window$ProcessThreadVisible
                  • String ID:
                  • API String ID: 569392824-0
                  • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                  • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                  • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                  • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                  APIs
                  • GetVersion.KERNEL32 ref: 0052D6CE
                    • Part of subcall function 00533728: HeapCreate.KERNEL32(00000000,00001000,00000000,0052D706,00000001), ref: 00533739
                    • Part of subcall function 00533728: HeapDestroy.KERNEL32 ref: 00533778
                  • GetCommandLineA.KERNEL32 ref: 0052D72E
                  • GetStartupInfoA.KERNEL32(?), ref: 0052D759
                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052D77C
                    • Part of subcall function 0052D7D5: ExitProcess.KERNEL32 ref: 0052D7F2
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                  • String ID:
                  • API String ID: 2057626494-0
                  • Opcode ID: 3acd95fcad5d93a50d5907e8ec44d4f690028c6676ad78365935eb6faaa2cdc4
                  • Instruction ID: 3547b1cf52275eb217c6ec59fb9c691c390ba2562cfeed95e4fa68c760d95463
                  • Opcode Fuzzy Hash: 3acd95fcad5d93a50d5907e8ec44d4f690028c6676ad78365935eb6faaa2cdc4
                  • Instruction Fuzzy Hash: B421BFB1800716AFDB18AFB4EC4AB6E7FB8FF85B10F144519F8019A2D1DB788841DB60
                  APIs
                  • SystemParametersInfoA.USER32(00000059,00000000,00000000,00000000), ref: 100156E3
                  • SystemParametersInfoA.USER32(0000005A,00000000,00000000,00000002), ref: 100158B9
                  • UnloadKeyboardLayout.USER32(00000000), ref: 100159A5
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: InfoParametersSystem$KeyboardLayoutUnload
                  • String ID:
                  • API String ID: 1487128349-0
                  • Opcode ID: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                  • Instruction ID: 050fea7ffa1bc3994f10f6bed9b27e470259e4e1db6febdaadab7ec0439d0979
                  • Opcode Fuzzy Hash: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                  • Instruction Fuzzy Hash: 224245B5E40305EBEB00DF94DCC2FAE77A4EF18355F540025E605BF286E776AA448B62
                  APIs
                  • lstrlen.KERNEL32(00000000,FFFFFFFF,00000000,?,00000000,00000000,00000001,FFFFFFFF,00000000,?,FFFFFFFF,00000000,?,FFFFFFFF,00000000), ref: 10019B06
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: lstrlen
                  • String ID: Z$w
                  • API String ID: 1659193697-2716038989
                  • Opcode ID: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                  • Instruction ID: 282b89e6495933af6440fbbb597b1de90ef5dffa39cee2d72f7ed257570ffe54
                  • Opcode Fuzzy Hash: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                  • Instruction Fuzzy Hash: 550202B0D0061CDBEB10DFE1E9897EDBBB4FF48340F2140A4E485BA249DB725AA5CB55
                  APIs
                  • WindowFromDC.USER32(00000000), ref: 100237BF
                  • GetCurrentObject.GDI32(00000000,00000007), ref: 100237FF
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: CurrentFromObjectWindow
                  • String ID:
                  • API String ID: 1970099965-0
                  • Opcode ID: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                  • Instruction ID: 5e3447216257589ac88371f0c3b1c154c22f3bd6e68f106655ab8dd4a69be074
                  • Opcode Fuzzy Hash: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                  • Instruction Fuzzy Hash: 9F313770D40308EBDB00DF90D886BADBBB0FB0A751F409065F6087E290E7B19A54DF96
                  APIs
                  • GetStockObject.GDI32(00000011), ref: 1001ACD1
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ObjectStock
                  • String ID:
                  • API String ID: 3428563643-3916222277
                  • Opcode ID: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                  • Instruction ID: b9a15d43875d05f13c7aca3fde3137a0688d1b6e1dffe905ed574dcac1c1d11e
                  • Opcode Fuzzy Hash: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                  • Instruction Fuzzy Hash: AE325BB5A402569FEB00CF98DCC1B99BBF4FF29314F580065E546AB342D379B991CB22
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Close
                  • String ID: (
                  • API String ID: 3535843008-3887548279
                  • Opcode ID: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                  • Instruction ID: acc8f56f01466ae78c1c2cfb7f14f5a9cb3254fd2462285b483ece6b545600e1
                  • Opcode Fuzzy Hash: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                  • Instruction Fuzzy Hash: 41220CB5D00219ABEF00DFE4ECC1BAEB775FF18340F504028FA15BA256D776A9608B61
                  APIs
                  • InterlockedExchange.KERNEL32(1002D531,?), ref: 10025544
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID: Thread
                  • API String ID: 367298776-915163573
                  • Opcode ID: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                  • Instruction ID: e87a296fab3b19ef06520bc3e141919b3527ea124beb15feda4261f24f1e3c13
                  • Opcode Fuzzy Hash: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                  • Instruction Fuzzy Hash: 38F116B5E00259ABEF00DFE4EC81BDDBBB5FF08314F640025F605BA241D7B6A9548B65
                  APIs
                  • InterlockedExchange.KERNEL32(1002D529,?), ref: 10024841
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID: Process
                  • API String ID: 367298776-1235230986
                  • Opcode ID: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                  • Instruction ID: 84bd04864f9d1e807072be8e5ab147b3cae892089b2f3c2b5496a308401e609c
                  • Opcode Fuzzy Hash: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                  • Instruction Fuzzy Hash: 85E104B5E41259ABEF00DFE4EC81B9DBBB5FF08304F640025F605BA241EB75A954CB61
                  APIs
                  • lstrlen.KERNEL32(00000000,000000FF,00000000,?,00000000,00000000,?,0000009C,00000000,?,?,FFFFFF9C,00000000), ref: 10026700
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: lstrlen
                  • String ID: #
                  • API String ID: 1659193697-1885708031
                  • Opcode ID: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                  • Instruction ID: 30fcd15e93819707c4a405128049bbda1367cf8e2b4a4446b34ba685154cf5d7
                  • Opcode Fuzzy Hash: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                  • Instruction Fuzzy Hash: 2232CF70D0061DEBEB10DFD0EC99BADBBB4FF48340F618094E495BA199CB715AB58B14
                  APIs
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10007D8B,00000000), ref: 10007EA0
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,10007D8B,00000000,00000000,00000000,00000000,00000000), ref: 10007F7E
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide
                  • String ID:
                  • API String ID: 626452242-0
                  • Opcode ID: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                  • Instruction ID: b3f739b553b0eb222627b335ec04950199b8c6fc0fb38b6c76c83e211291c2b2
                  • Opcode Fuzzy Hash: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                  • Instruction Fuzzy Hash: 62417C74E0020DFBEB10DFD0EC46BAEBBB4FB08750F204165F618BA195DBB56A608B55
                  APIs
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001368C
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 10013744
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide
                  • String ID:
                  • API String ID: 626452242-0
                  • Opcode ID: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                  • Instruction ID: dea56998412ea2cd2e2e07e98f2853e180ac33eb45cb94fa257388ef996dc557
                  • Opcode Fuzzy Hash: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                  • Instruction Fuzzy Hash: 543141B5E40309BBEB50DFD49C82FAE7BB4EB04710F108055FA18BE2C1D7B6A6909B55
                  APIs
                  • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,100172C1,00000000,00000000,00000000), ref: 10017D82
                  • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,100172C1), ref: 10017E29
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: EnvironmentExpandStrings
                  • String ID:
                  • API String ID: 237503144-0
                  • Opcode ID: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                  • Instruction ID: 93bfbce67b494b6763231a081cd11fe6566247fc84b5e7443ef84a885c003b65
                  • Opcode Fuzzy Hash: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                  • Instruction Fuzzy Hash: 96313675E00309BBEB51DED49C82FAE7BF4EF08704F104065FA08BB242D772AA509B55
                  APIs
                  • DispatchMessageA.USER32(1001176C), ref: 100116D4
                  • CallWindowProcA.USER32(?,?,?,?), ref: 10011714
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: CallDispatchMessageProcWindow
                  • String ID:
                  • API String ID: 3568206097-0
                  • Opcode ID: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                  • Instruction ID: 63bf1ad0f6820a7cfc32d841282287ffa4cda79eab35e4a2f1e5c3704b1abdfe
                  • Opcode Fuzzy Hash: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                  • Instruction Fuzzy Hash: AE21C775E40318EBDB00EF94DCC2A9DBBB1FB0D310F5040A5EA08AB351D371AA90DB52
                  APIs
                  • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                  • NtClose.NTDLL(?), ref: 100141D7
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: CloseMutexRelease
                  • String ID:
                  • API String ID: 2985832019-0
                  • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                  • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                  • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                  • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID: 0-3916222277
                  • Opcode ID: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                  • Instruction ID: 90b3556d9a436454375a3f12806074c3db2d9078b135128fdcdde92096655a79
                  • Opcode Fuzzy Hash: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                  • Instruction Fuzzy Hash: 52C2B7B4F40346ABFB11CA94DCC2B9E77B0EB08390F214165F658FA2DAD7B15E408B56
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,?,?,?,100078F7,00000000,00000000,00000000), ref: 10002169
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,100078F7), ref: 1000222A
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide
                  • String ID:
                  • API String ID: 626452242-0
                  • Opcode ID: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                  • Instruction ID: e83377b6f6ad2707753203cfccfcc485ecbfcdf7635717af9e37d537513bb723
                  • Opcode Fuzzy Hash: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                  • Instruction Fuzzy Hash: 29814D75E00209ABEF00DFD4DC86FEEBBB4EF08340F504065FA14BA285D7B5AA548B55
                  APIs
                  • InterlockedExchange.KERNEL32(1002D519,?), ref: 1001DD15
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                  • Instruction ID: 7a99189caa79d54ac912ebbbba7bdc920c16141239c7c74b934a59564cf638f4
                  • Opcode Fuzzy Hash: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                  • Instruction Fuzzy Hash: 2A6238B5E40348ABEB10DF94DC82F9DBBB5FF08344F244025F608BE292E7B5A9558B51
                  APIs
                  • PathFindFileNameA.SHLWAPI(00000000,?,00000000,00000000,00000000,00000000,0000001C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001C7F6
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: FileFindNamePath
                  • String ID:
                  • API String ID: 1422272338-0
                  • Opcode ID: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                  • Instruction ID: f98056538ddd495e24e8dfbf0cad4fd33bc614c33abef30b02bddadc29e55c32
                  • Opcode Fuzzy Hash: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                  • Instruction Fuzzy Hash: 364240B5A40219ABEB00DF94ECC2F9EB7B4FF5C354F140025EA09BF241E775A9508B66
                  APIs
                  • InterlockedExchange.KERNEL32(1002D535,?), ref: 10025AFF
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                  • Instruction ID: ec57d409bd248faccfe3f0420db7539557fe035a6b0d78d3a35a1a7dfc2ec437
                  • Opcode Fuzzy Hash: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                  • Instruction Fuzzy Hash: AC5208B5E00208ABEF01DF94EC82FDDBBB5FF08314F544029F614BA292D7B5A9548B65
                  APIs
                  • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1001D53E
                    • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: CodeLibraryLoad
                  • String ID:
                  • API String ID: 4269728939-0
                  • Opcode ID: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                  • Instruction ID: 8ca3c93d7244418e6012e556740facccd0f38a3c9c4ff1909e44a403dc44f6d3
                  • Opcode Fuzzy Hash: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                  • Instruction Fuzzy Hash: BC421AB5E40318AFEF50EF94DC82BDDBBB1FB08740F500125F618BA295D7B6A9808B55
                  APIs
                    • Part of subcall function 10028720: atoi.MSVCRT(00000000), ref: 1002877E
                  • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 1000918C
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: MemoryMoveatoi
                  • String ID:
                  • API String ID: 2867837884-0
                  • Opcode ID: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                  • Instruction ID: c625aa631b3fd7664a23ceac8d029317df328e953ac31412f977eb30fe789f83
                  • Opcode Fuzzy Hash: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                  • Instruction Fuzzy Hash: 1A023DB5A40216AFFB00DF94DCC1BAEB7A5FF58354F240025E905AB385E7B5B950CB22
                  APIs
                  • RtlMoveMemory.NTDLL(00000000), ref: 1000665A
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: MemoryMove
                  • String ID:
                  • API String ID: 1951056069-0
                  • Opcode ID: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                  • Instruction ID: de403b7ac96d81ad167a5567031b13b093eba99a0845d2f8fdd956dd85fb778c
                  • Opcode Fuzzy Hash: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                  • Instruction Fuzzy Hash: 12B151B5A812969BFF00CF58DCC1B95B7E1EF69324B291470E846AF344D378B861DB21
                  APIs
                  • GetKeyboardLayoutList.USER32(00000040,?,00000000,00000000), ref: 10015BEE
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: KeyboardLayoutList
                  • String ID:
                  • API String ID: 4253248152-0
                  • Opcode ID: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                  • Instruction ID: 3f0b898e91331e47705899626b39ccd446a255f5e12301d86a1815f33d743008
                  • Opcode Fuzzy Hash: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                  • Instruction Fuzzy Hash: 487158F6E00205AFEB00DFA4ECC2BAE77E5EF58251F540025E609EF341E775A9448B62
                  APIs
                  • LdrGetProcedureAddress.NTDLL(00000000,00000000,00000000), ref: 10006115
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: AddressProcedure
                  • String ID:
                  • API String ID: 3653107232-0
                  • Opcode ID: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                  • Instruction ID: 78c0987cb7ffc063797d9a6f9d393f2066e6151a443f59dc1fc5ba499ae867df
                  • Opcode Fuzzy Hash: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                  • Instruction Fuzzy Hash: 564146B5D40209AFEB00DFD4EC81BAEB7B5FF18314F244065E909AB245D375AA54CB62
                  APIs
                  • LdrGetDllHandleEx.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 1000B6DF
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Handle
                  • String ID:
                  • API String ID: 2519475695-0
                  • Opcode ID: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                  • Instruction ID: f5b1eeb52ae3afd7add8d8d659320dd3d1fa50eb2e7bb74abf840f5972d141ec
                  • Opcode Fuzzy Hash: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                  • Instruction Fuzzy Hash: 6B312FF6D40205ABEB40DF94ECC2B9AB7F8FF18314F184065E90DAB341E375A9548B62
                  APIs
                  • RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ComputeCrc32
                  • String ID:
                  • API String ID: 660108262-0
                  • Opcode ID: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                  • Instruction ID: 885f51156191be290847c32039febb9a430df116088fdaca21ba1fa0fc310e03
                  • Opcode Fuzzy Hash: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                  • Instruction Fuzzy Hash: FE3149B5E00309BBEB51DFD49C82FBE77B8EF14740F104068FA18BA242D7B6A6509B51
                  APIs
                  • GetSystemDirectoryA.KERNEL32(00000000,00000100), ref: 10018935
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: DirectorySystem
                  • String ID:
                  • API String ID: 2188284642-0
                  • Opcode ID: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                  • Instruction ID: ee8817d9cef94c28fb543e8b0ac086dfa591c469ffb5e13cc4bb05c5ca752fcb
                  • Opcode Fuzzy Hash: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                  • Instruction Fuzzy Hash: 2F115875E00309BBEB40DEE49C42BAD76A8EB08754F241469F608FB241D771AB809756
                  APIs
                  • IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Code
                  • String ID:
                  • API String ID: 3609698214-0
                  • Opcode ID: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                  • Instruction ID: e6d0952806afafb3bf167878436ee8aac056beef16ad5c6831721f9da55ad4d1
                  • Opcode Fuzzy Hash: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                  • Instruction Fuzzy Hash: E8118B70900209FBEB60DF64CC05BED7BB4EF01390F2041AAED08AA1D4DB729A15DB85
                  APIs
                  • InterlockedExchange.KERNEL32(1002D4C9,?), ref: 10013C79
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                  • Instruction ID: 374fef4b2e02d52e2e07c0ca9dad6c55ed4794edc6ac8ae58a0c039705d7fb64
                  • Opcode Fuzzy Hash: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                  • Instruction Fuzzy Hash: CC0171B5E0020DABDB00FFE09D82BAEBBB9EB04301F404466F50876105EB71EA549B92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D50D,?), ref: 1001A092
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                  • Instruction ID: cb7720b851b721871b731c706f7cbe3d90cdbd700e2746e4ab45e97b10e25004
                  • Opcode Fuzzy Hash: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                  • Instruction Fuzzy Hash: 5C018DB5D00218ABDB11FFD09C82B9E77B8EB09341F804466F50476111D7719B988792
                  APIs
                  • InterlockedExchange.KERNEL32(1002D51D,00000040), ref: 100228E3
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                  • Instruction ID: c1b15002a30057ddc80440081b4ff6bc33ecde6fccf9cd62e387e343abd0d63a
                  • Opcode Fuzzy Hash: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                  • Instruction Fuzzy Hash: DF014DB5D0021DFBEB10EFE0AC82B9E7778EB14644F904066F50466151EB719B549B91
                  APIs
                  • InterlockedExchange.KERNEL32(1002D3FD,08000000), ref: 10006CF7
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                  • Instruction ID: 4cade7ef096b15f562c821cb4de08ab4d3fc558eeb9d0de8a70c828ff9c11a3c
                  • Opcode Fuzzy Hash: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                  • Instruction Fuzzy Hash: 170175B5E0020DEBEB00EFE0EC82FAE7B79EF04240F504066E51566105D771AB549B92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D481,00000000), ref: 1000FD11
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                  • Instruction ID: 0aed2d4544eee8039acc50f3c1f3685790efcc1e5774387d789b9b1403c596f7
                  • Opcode Fuzzy Hash: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                  • Instruction Fuzzy Hash: 9A0188B5D0430DABEB10FFE09C82FAE7779EB04280F40046BF505A6505DB71AA14EB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D3E1,00000004), ref: 10003177
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                  • Instruction ID: 385097fba51063c84e9e930c69dc2d7aac367372f62906f312b1c310141ed2ce
                  • Opcode Fuzzy Hash: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                  • Instruction Fuzzy Hash: 40015275D00208E7EB01EFE09C92BEF7B78EB08280F404066E51566155DB71AA149B92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D485,00000000), ref: 1000FDAE
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                  • Instruction ID: 3f7b499d2902c1e46d25e5c31060a7ca09a1136a131adf16b63838e7b32e6cd5
                  • Opcode Fuzzy Hash: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                  • Instruction Fuzzy Hash: 0B018875D0024CABEB00FFE0DC82EAE7779EB05380F50006AF505A6115DB716A54EB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D43D,?), ref: 10008E04
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                  • Instruction ID: 4c97a0654b066084171f968f8b0ad47121c2de6078470ba5a976a0987d87b010
                  • Opcode Fuzzy Hash: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                  • Instruction Fuzzy Hash: EC0175B5D00219E7EB00FFE0EC82BAE7B78FB14240F504466F54566145EB716B549B92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D40D,00000008), ref: 10007E19
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                  • Instruction ID: 3b8a368ce3914a44cda768e978636fd60f477d925661c7c420499c797e447cb4
                  • Opcode Fuzzy Hash: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                  • Instruction Fuzzy Hash: 9B0171B5D00249ABEB00FFE0EC82AAEBB78FB04240F404466E60966115DB75AB549B92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D441,?), ref: 10008EA1
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                  • Instruction ID: 1686f6cdf9a679c1f5c84585fd33387023eb604c586a5dba44084a63d2e43e5f
                  • Opcode Fuzzy Hash: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                  • Instruction Fuzzy Hash: 9C0171B5D00359ABEB10FFE0DC82BAEBB78FB04380F400066E64576115EB71AB54CB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                  • Instruction ID: 82e752f980966cf0ba4425328bdbe0b5f15696934bb6f442517d9b0340b204dc
                  • Opcode Fuzzy Hash: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                  • Instruction Fuzzy Hash: 510179B5E00209EBEB00FFE09C82AAEB778EB05240F504466F54566145EBB16654DB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D521,00000000), ref: 10022AE1
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                  • Instruction ID: 1a66ded8f8981fca5c39a2578b95296ca62aec53b1f76630b0cdbd515d7a4f8c
                  • Opcode Fuzzy Hash: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                  • Instruction Fuzzy Hash: D60175B5D00308BBDB11EFE0AC82FEEBB78EB14344F400066E90566501E7B56B14DB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D4B9,10026CF1), ref: 10011EEA
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                  • Instruction ID: ae9516facd56fc145b0b9ba1995b908798816dd09d6beae3d77d7b55205b3fe1
                  • Opcode Fuzzy Hash: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                  • Instruction Fuzzy Hash: AF0184B5E0420CABDB00FFE0EC82BEEBBB9EB04244F400466F5056A111DB75EA549B92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D525,00000000), ref: 10024745
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                  • Instruction ID: 4f30fde94411f2541dcfd4e169ebb1e46575794177a9fc60b21b5106f81313a2
                  • Opcode Fuzzy Hash: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                  • Instruction Fuzzy Hash: 1001D8B5D0431CA7DB00FFE0ACC2FAEBB78EB05300F810465E51566101EBB16A14DB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D435,?), ref: 10008B88
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                  • Instruction ID: 91e5747cc3fe246938bda6916c84b67a4fdfd623eeedb860250414ba6297eca5
                  • Opcode Fuzzy Hash: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                  • Instruction Fuzzy Hash: 7B0171B5D0020DABEB50FFE49C82EAEBBB8FB04240F500466E54466115EB71AB14DB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D411,?), ref: 1000839E
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                  • Instruction ID: 31dc5b1c38583c82a0824eac09af333b299f07736d69ab93248bda9d1065cdb0
                  • Opcode Fuzzy Hash: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                  • Instruction Fuzzy Hash: 390175B5D04308A7EB40FFE09C82AAE7778FB04640F405476F54466145D771AB54CB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D44D,00000000), ref: 1000B3B4
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                  • Instruction ID: a0f89ea6e8a02a489adc9b983919e457af64c69ca27a1623b1b8ea733fed46f6
                  • Opcode Fuzzy Hash: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                  • Instruction Fuzzy Hash: 5F0184B5D0030CEBEB00FFE0AD92FAEBB78EB04240F504066F50466145DBB1AB54DB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D4C5,00000014), ref: 10013804
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                  • Instruction ID: 3d49d6b3b442fbd771079eef3efcaca9525747ce25c9376b7200e1962427cb25
                  • Opcode Fuzzy Hash: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                  • Instruction Fuzzy Hash: 420152B5D04309A7EB00FFE09C82AAEB778EF04240F504066F50466151EB75AA54DB92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D439,?), ref: 10008C25
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                  • Instruction ID: e89bca5dfd4d69b457f6ee300803ba63458d7d33b5f739f05a8734b2afd2cb97
                  • Opcode Fuzzy Hash: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                  • Instruction Fuzzy Hash: 4C0171B5D00209ABEB00FFE49CC2EAEBB78FB04240F900466E55566116DB71AB549BA6
                  APIs
                  • InterlockedExchange.KERNEL32(1002D4D9,?), ref: 10014029
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                  • Instruction ID: 2564c689c805b87f96d1dc3a9772f8e9f463aef008d258d62ef8b45eff4f05b1
                  • Opcode Fuzzy Hash: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                  • Instruction Fuzzy Hash: 8E01D875D0030CA7DB11FFE09C82F9E7779EB08300F400026F615A7112DB75EA549B92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D409,00000001), ref: 10007C2B
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                  • Instruction ID: c3b43e173740565f2226f67ccfeaefedf346a2cdf78e56352eac70fc933f1a03
                  • Opcode Fuzzy Hash: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                  • Instruction Fuzzy Hash: B0017575D0020CA7FB00FFE09C86F9EBB78FB14340F44446AE61966105E775AA549B92
                  APIs
                  • InterlockedExchange.KERNEL32(1002D52D,00000000), ref: 10025448
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                  • Instruction ID: 3e1362fdfd7180a89e2653fc66fb6b654d9ba0ea71b3ee1e512a707afa301e7c
                  • Opcode Fuzzy Hash: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                  • Instruction Fuzzy Hash: 730188B5D0021CA7DB00FFE0AC82B9EB7B8EB04345F904467F90566111D7B29A549B96
                  APIs
                  • InterlockedExchange.KERNEL32(1002D451,00000000), ref: 1000B451
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                  • Instruction ID: 8d0e244bf49903d48fd7c686830ea074e98c76a4a96eec9f774984162f9bf409
                  • Opcode Fuzzy Hash: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                  • Instruction Fuzzy Hash: BF0148B5D0431DABEB00FFE09C82FAEB778EB14340F904465F50566116EB71AB54DB92
                  APIs
                  • GetAncestor.USER32(100236B8,00000001,?,?,100236B8), ref: 1002371A
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Ancestor
                  • String ID:
                  • API String ID: 4063365101-0
                  • Opcode ID: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                  • Instruction ID: eb8589c6fe16dd3324ac60df81f06840749ea93634a8b87ae7cb4ae9ae9ba44e
                  • Opcode Fuzzy Hash: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                  • Instruction Fuzzy Hash: C3F03CB4E44308EBDB10EF90E9467ADFB70EB06741F509065E6047B180E7B25A509A8A
                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000000,00000001,00000001,00000000,00000000,00000001), ref: 100101C4
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                  • Instruction ID: 16cce99742d90ffd21a6e538df0c97e42957f62968f0f4cbc8e65f9f29ad9446
                  • Opcode Fuzzy Hash: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                  • Instruction Fuzzy Hash: D8F03970E45208FBDB21EF95DC02BADBB74EB05741F1080A5FA087A180D7B5AB509B95
                  APIs
                  • ReleaseMutex.KERNEL32(?,1000702C), ref: 1000635D
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: MutexRelease
                  • String ID:
                  • API String ID: 1638419-0
                  • Opcode ID: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                  • Instruction ID: 7b3213fa97c1f7abe5e99e727b00606adf76b996470ce0c1231a1946aded7527
                  • Opcode Fuzzy Hash: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                  • Instruction Fuzzy Hash: 3AD017B0D45308B7E610AE90EC03B69BA34D706761F105161FA082A190E6B2AB2496DA
                  APIs
                  • HeapAlloc.KERNEL32(00000008,00000000), ref: 1000F7E5
                    • Part of subcall function 1000FA6F: InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: AllocExchangeHeapInterlocked
                  • String ID:
                  • API String ID: 3051970009-0
                  • Opcode ID: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                  • Instruction ID: 8cc4e7238832c14419a96c129bec8d194933ec370394a89dab4d823145446c67
                  • Opcode Fuzzy Hash: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                  • Instruction Fuzzy Hash: 51310270D40209FEFB11DFA0CC02BEDBBB5FB04780F208169F614BA194DBB56A54AB55
                  APIs
                  • HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: AllocHeap
                  • String ID:
                  • API String ID: 4292702814-0
                  • Opcode ID: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                  • Instruction ID: 104a27a5d458cbbbe33f9f96244b29e3d4c33b82fd0089700704125604d1dba2
                  • Opcode Fuzzy Hash: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                  • Instruction Fuzzy Hash: BDE08634D85308B7E610EF40DC03F29BA38E702751F508012FA083A090D6B25A649B87
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                  • Instruction ID: b82dc38e16616ddd987b864122364eac5c1fff58b477e30fd6f02d7e5179368c
                  • Opcode Fuzzy Hash: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                  • Instruction Fuzzy Hash: 85721AB5E40309ABEB00DF94ECC2FDDBBB5EB0C354F644025F604BA296D7B269548B25
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                  • Instruction ID: 551f598227d6dd39184c223fb6ed838a91ab17f663f6174eca7434abf6d8a969
                  • Opcode Fuzzy Hash: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                  • Instruction Fuzzy Hash: 40624CB5E41208BBEF11DFD0EC82BDDBBB5EF08354F204029F604BA291D7B5A9958B14
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                  • Instruction ID: a5955423d14317f839d9afbcb2b9ced9374c1de9beecc9198591da7258e3e5d6
                  • Opcode Fuzzy Hash: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                  • Instruction Fuzzy Hash: 5D32F7B1B412529BFB00CF58ECC0B59B7A5EFA9324F290074E946AF341D379B861DB61
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                  • Instruction ID: 3de84c3e889b2c0bc8bcd444dabd38468fbc88aeca599d708b385d83fa676b17
                  • Opcode Fuzzy Hash: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                  • Instruction Fuzzy Hash: 8E22F8B2B812529BFB00CB58ECC0B55B7A5EFA5328F290474E9469F341D379F861DB21
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                  • Instruction ID: 2248021ac5db34a560a572e85a1c1eea5c01ad721331a673fc7f7bdbc18de49f
                  • Opcode Fuzzy Hash: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                  • Instruction Fuzzy Hash: 90524471D00259CBEB20CFA4D8857DDBBB0FF48344F2180A4D599BB249DB756AA5CF90
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                  • Instruction ID: fa5432d9c06c826fba32fdae05fe74482de4f60f477d8ade94ddac0ef3f6a6e0
                  • Opcode Fuzzy Hash: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                  • Instruction Fuzzy Hash: 602215B5E00309AFEF10CF94DC82BEEBBB0FF09354F204025EA14BA296D77569548B65
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                  • Instruction ID: 15cd058cb613ad93b2deb671447fd93daff6b1ebb966e0e7c4ee6c7ed785d811
                  • Opcode Fuzzy Hash: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                  • Instruction Fuzzy Hash: BDA160B5E00209ABEB40DEE4DC85FDE7BB8EF08354F144065FA04AA241EB75EB94CB51
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                  • Instruction ID: 14e6b09ccae86c50f75a937e7e6fe01258ff4770b1647dfaac81a6f85d8f69f1
                  • Opcode Fuzzy Hash: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                  • Instruction Fuzzy Hash: 7A911EB5E0020AABEF10DF94DC85B9E7BB5EF18344F204025FA14BB281D775EB948B65
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                  • Instruction ID: 03d07b771d78d2ead9be031f4861621435dfbb7e08fb32216ea170559a01278e
                  • Opcode Fuzzy Hash: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                  • Instruction Fuzzy Hash: 078123B5E4025AABEF00CF94ECC1B9DBBB4FF19310F640025E549BB245D775A851CB25
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                  • Instruction ID: fa026d6154386471c9ed67b0d764591261ae5350a3fbb2125f892fb7990afb2f
                  • Opcode Fuzzy Hash: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                  • Instruction Fuzzy Hash: 7D7135B5E4125AABEF00DFA8ECC1B9DBBB4FF18310F650025E545BB241DB75A851CB21
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ObjectSelect
                  • String ID:
                  • API String ID: 1517587568-0
                  • Opcode ID: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                  • Instruction ID: 38d14c2f8622cd03f50353335eeab2373c5cbc47d148ebdcbde86e05c5d9d7ee
                  • Opcode Fuzzy Hash: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                  • Instruction Fuzzy Hash: 4E6134B1E40349ABEB10DFE4DC86FEF76F4EB05704F500425F615BA281D7B6AA848B52
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ComputeCrc32CreateMutex
                  • String ID:
                  • API String ID: 2647859408-0
                  • Opcode ID: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                  • Instruction ID: 6e8f39effab6ffe8abe8ce8b2f006d743ef601de1a83054572dbacb1371b805f
                  • Opcode Fuzzy Hash: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                  • Instruction Fuzzy Hash: FA611274E40319EBEB00EF91DC87BEEBB71EB05750F200026F6147A191D7B1AA51DB96
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                  • Instruction ID: b3edc6188f52fe0267c65f768a9f0694fa0e22adacd15ae2cea2a64ff053d747
                  • Opcode Fuzzy Hash: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                  • Instruction Fuzzy Hash: E4512774E40316ABEB10CF94DC96FAE77B4EF04700F604019FA49BE291D7F59A948B92
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                  • Instruction ID: 3ff1e0272834ebdf1ae0fa1b74ff5d017005019b99e03679453d0ba0a45af6fd
                  • Opcode Fuzzy Hash: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                  • Instruction Fuzzy Hash: E2512EB5D0021AABEB00DF94DCC1BAE77B4FF18314F140465E508EB301E775AA50CB62
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                  • Instruction ID: 740361c2a2a7975ea98c5d6579f5497acae074faf2527958cbce1f24f1a7fcbb
                  • Opcode Fuzzy Hash: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                  • Instruction Fuzzy Hash: 84516B75E00209EBEB00CF94DC86FAE77F4EB05344F654055F914BE281E776DA948B62
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                  • Instruction ID: 6e2a16805fa032cb188a6ab09911055340e312e86faa01d054a0585f1b90ccec
                  • Opcode Fuzzy Hash: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                  • Instruction Fuzzy Hash: 14312270D44609EBEF00EF80DC46BAEBB71EB06355F205169FA043A191D3B64A54DF9A
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                  • Instruction ID: fcd9660d6a72fe45eefc1d8f4cbc8b5498bd8d2469cb5e857af72b9432f5bd19
                  • Opcode Fuzzy Hash: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                  • Instruction Fuzzy Hash: F3313575E40308AFEB50DF94DC82B9DBBB4EB0C741F504065F608EB745E7B59A409B52
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                  • Instruction ID: 0e6d90bd3a1296b327673a782b8a2de37a0e9d786c9d2f722c0ab1c87383cc98
                  • Opcode Fuzzy Hash: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                  • Instruction Fuzzy Hash: 69317375E40308AFEB40DF94DC82B9EBBB4EB08340F504075E608EB696E3B56A409B52
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                  • Instruction ID: f5bd11c3930f14deff6542fe37b9d91d6d9d9f7f47c674184f68d859604aa839
                  • Opcode Fuzzy Hash: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                  • Instruction Fuzzy Hash: 8821F975A04209EFEB41CF90CD82BAE77F8EB05754F244015B908BA181E7B5EAD09B62
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                  • Instruction ID: cb764db9af18425858f0870d561dcf750e8236d090e6b6f48ce3485ee4cf3179
                  • Opcode Fuzzy Hash: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                  • Instruction Fuzzy Hash: 7E114634845224FBEA11FF90DC42B68BBA1E712345F215067F6042A0B5DBB2ADD6DA42
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                  • Instruction ID: eeae7fc577553641f4f664837c49950aecc16b69e97dd8631aebf4018e73b438
                  • Opcode Fuzzy Hash: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                  • Instruction Fuzzy Hash: FA2137B090060AEAFB10DFA0C844BEEBAB8FB05380F204271F990A6198D7349AD5D754
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                  • Instruction ID: ba505964bce734d70dae5fb9ba97fd24188bee46f8c6b217aecce00d80479512
                  • Opcode Fuzzy Hash: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                  • Instruction Fuzzy Hash: C9112875D00208FBEF00DF90C84579DBBB0EB05345F508069F908AE290DB759B94DB91
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                  • Instruction ID: 8996d56321af788ecdb48f59df6a7f6deac0e56e76c4d4795bf28b9d59f37b7c
                  • Opcode Fuzzy Hash: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                  • Instruction Fuzzy Hash: D3110975D0020DABEB00DFD0DC46BAEBBB8FF04704F104455F914BA190E7B2AB549B91
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                  • Instruction ID: aa05f780bf07b04a9dbad2cba23d858d9fb5007feb3f8ac9aeeac6949bb19c5c
                  • Opcode Fuzzy Hash: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                  • Instruction Fuzzy Hash: 07015335980208FBEF11DFA1DD02BDEBB74EB00350F108022BA146E1A0D772DAA0ABC1
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                  • Instruction ID: f86e8bef0b9f5b7b48e3b9b3acc0b6cb1fd06cabc4355fe6e2609782588421e0
                  • Opcode Fuzzy Hash: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                  • Instruction Fuzzy Hash: B401EC7594020CBEEF11DF80DC42FEDBB79EB09740F108051FA046D091D7B29AA5AB95
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                  • Instruction ID: e7353d8a689e469959c960a5bb5359493e28a0ae3a5db89d5c895ffd79e8d98e
                  • Opcode Fuzzy Hash: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                  • Instruction Fuzzy Hash: 64F04970D00208FBEB10DF90CC06BADBFB0EB01341F204065F9007A1A0D7B6AB94DB85
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                  • Instruction ID: 682ee749917f4e023bc7197140f76a097522797ecf20c1f45cbbd45c019d52a4
                  • Opcode Fuzzy Hash: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                  • Instruction Fuzzy Hash: 3CF0FE74D44258EBDB14EE90D8057EDBA74E706305F504266EA04AE190D3B18BA4DB96
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                  • Instruction ID: 02fc14b9e54e6900d73ffd4e28a19c8708dbe27031dd51c44bf3dba7fdb031ba
                  • Opcode Fuzzy Hash: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                  • Instruction Fuzzy Hash: ECF05474A00308FBEB21CF94CD81B9CBBB0EF09300F2080E4FE0467381E6B15A509B51
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                  • Instruction ID: bbfaceb90791bb35eed418166a23c42ee1e6653db07919fbe020635ad9369783
                  • Opcode Fuzzy Hash: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                  • Instruction Fuzzy Hash: B9F03975D00218EBDB00EE90D80ABAEBA78EB15301F100465EA086E190D3B59B54DA96
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                  • Instruction ID: 33dc01a3c2299a3cd355405e5767cb27c6d7fba89f237eed4e622fd5132f0db0
                  • Opcode Fuzzy Hash: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                  • Instruction Fuzzy Hash: 5AE08C34D49308B7D610EF40AC87B28BA35E706701F505056FA043A090E7F2AA649A8A
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                  • Instruction ID: 761fadcd4debd2308a54b226b4f8dff580185d7010702b48f65d1b5b1071df53
                  • Opcode Fuzzy Hash: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                  • Instruction Fuzzy Hash: 66E08C34D45308B7D610EF50EC43B6CBB34E707700F108056FA083A1A0D7B29E60ABCA
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                  • Instruction ID: 1fae9ae4253266a87bc96311d46508b5db8f13d56845d8971887a42445dbbd4a
                  • Opcode Fuzzy Hash: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                  • Instruction Fuzzy Hash: 7DD05B70D45218F7DA10EF54AC03B39BB34D707761F205261FB143E1D5D6B25920D5DA
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                  • Instruction ID: 2a9e0740773b8b6f5e110bd1e2332ab73de667f723c53b2bed2784798aa44a4a
                  • Opcode Fuzzy Hash: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                  • Instruction Fuzzy Hash: 90B01232125BD44EC1038309C423B11B7ECE300D48F090090D451C7542C14CF610C494
                  APIs
                  • GetFocus.USER32 ref: 004C3B7F
                  • GetWindowRect.USER32(?,?), ref: 004C3BD6
                  • GetParent.USER32(?), ref: 004C3BE6
                  • GetParent.USER32(?), ref: 004C3C19
                  • GlobalSize.KERNEL32(00000000), ref: 004C3C63
                  • GlobalLock.KERNEL32(00000000), ref: 004C3C6B
                  • IsWindow.USER32(?), ref: 004C3C84
                  • GetTopWindow.USER32(?), ref: 004C3CC1
                  • GetWindow.USER32(00000000,00000002), ref: 004C3CDA
                  • SetParent.USER32(?,?), ref: 004C3D06
                  • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C3D51
                  • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C3D60
                  • GetParent.USER32(?), ref: 004C3D73
                  • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C3D8C
                  • GetWindowLongA.USER32(?,000000F0), ref: 004C3D94
                  • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C3DC4
                  • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C3DD2
                  • IsWindow.USER32(?), ref: 004C3E1E
                  • GetFocus.USER32 ref: 004C3E28
                  • SetFocus.USER32(?,00000000), ref: 004C3E40
                  • GlobalUnlock.KERNEL32(00000000), ref: 004C3E4B
                  • GlobalFree.KERNEL32(00000000), ref: 004C3E52
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
                  • String ID:
                  • API String ID: 300820980-0
                  • Opcode ID: c7ee5849a53f2b720b434fb20ee73ce415a09fc5efd5512a2ca60ec435b943ad
                  • Instruction ID: fc7bb721d02177b4388cf4223777b3b17238a714f8787edda964ef02e8b708dd
                  • Opcode Fuzzy Hash: c7ee5849a53f2b720b434fb20ee73ce415a09fc5efd5512a2ca60ec435b943ad
                  • Instruction Fuzzy Hash: C1A18A75204701AFD760EF65CC88F6BB7E8BB88701F108A1DFA4297391DB78E9058B65
                  APIs
                  • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                  • strrchr.MSVCRT ref: 10028EC7
                  • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                  • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                  • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                  • String ID: PXu Xu
                  • API String ID: 1380196384-815181985
                  • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                  • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                  • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                  • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                  APIs
                  • LoadLibraryA.KERNEL32(?,00000001,?,00000001,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C4854
                  • LoadLibraryA.KERNEL32(?,00000001,00000000,00000001,?,?,007D9D3C,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C4891
                  • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 004C48C7
                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C48D2
                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C48E0
                  • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004C49ED
                  • RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004C4A22
                  • CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C4AE7
                  • UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 004C4B03
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Library$LoadType$FreeRegister$AddressFromProcString
                  • String ID: DllRegisterServer$DllUnregisterServer
                  • API String ID: 2476498075-2931954178
                  • Opcode ID: bb99048f6588ca265a681c3f029e97578926fe6b9d4ebac5c6359c26a1f8ea40
                  • Instruction ID: 3d50727202a0988adf1641a3052eea74cd31356e871d0e85d78553229f022720
                  • Opcode Fuzzy Hash: bb99048f6588ca265a681c3f029e97578926fe6b9d4ebac5c6359c26a1f8ea40
                  • Instruction Fuzzy Hash: 68B1E1B590024AABDB14EBA4C955FEFB7B8FF84314F10452DF815A7281DB38AA05CB64
                  APIs
                  • GetModuleHandleA.KERNEL32(?), ref: 10029652
                  • LoadLibraryA.KERNEL32(?), ref: 1002965F
                  • wsprintfA.USER32 ref: 10029676
                  • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                    • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                  • atoi.MSVCRT(?), ref: 100296CB
                  • strchr.MSVCRT ref: 10029703
                  • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                  • wsprintfA.USER32 ref: 10029739
                  • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                  • String ID: DLL ERROR
                  • API String ID: 3187504500-4092134112
                  • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                  • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                  • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                  • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                  APIs
                  • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,005338E2,?,Microsoft Visual C++ Runtime Library,00012010,?,007C9F0C,?,007C9F5C,?,?,?,Runtime Error!Program: ), ref: 0053AF77
                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053AF8F
                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053AFA0
                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053AFAD
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                  • API String ID: 2238633743-4044615076
                  • Opcode ID: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
                  • Instruction ID: 8ce400e891b46900516e592ea20b3ca7731360952b72417fda11ff3b67056745
                  • Opcode Fuzzy Hash: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
                  • Instruction Fuzzy Hash: 5A0171B5604307BF87219FB5AC88DAB7FA8BB58742B04452DF186C2161DB78C852DB62
                  APIs
                  • LCMapStringW.KERNEL32(00000000,00000100,007CA19C,00000001,00000000,00000000,7612EB00,0082CD44,?,?,?,0052F45D,?,?,?,00000000), ref: 00536D26
                  • LCMapStringA.KERNEL32(00000000,00000100,007CA198,00000001,00000000,00000000,?,?,0052F45D,?,?,?,00000000,00000001), ref: 00536D42
                  • LCMapStringA.KERNEL32(?,?,?,0052F45D,?,?,7612EB00,0082CD44,?,?,?,0052F45D,?,?,?,00000000), ref: 00536D8B
                  • MultiByteToWideChar.KERNEL32(?,0082CD45,?,0052F45D,00000000,00000000,7612EB00,0082CD44,?,?,?,0052F45D,?,?,?,00000000), ref: 00536DC3
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052F45D,?,00000000,?,?,0052F45D,?), ref: 00536E1B
                  • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052F45D,?), ref: 00536E31
                  • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052F45D,?), ref: 00536E64
                  • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052F45D,?), ref: 00536ECC
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: String$ByteCharMultiWide
                  • String ID:
                  • API String ID: 352835431-0
                  • Opcode ID: a62989f843dae0eee73ebe14d05cf88c23a3d1390bc74e56813a25bc62fc5ade
                  • Instruction ID: 62d27cf0bc35d009cabd036e404282ac43bfe0e3b8ec01c5f0ff21bbeb09715c
                  • Opcode Fuzzy Hash: a62989f843dae0eee73ebe14d05cf88c23a3d1390bc74e56813a25bc62fc5ade
                  • Instruction Fuzzy Hash: 80515736900249BFCF228F94CC45EAF7FB9FB89754F248519F915A21A0D3328D64EB61
                  APIs
                  • CreatePopupMenu.USER32 ref: 004D11FE
                  • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1361
                  • AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D1399
                  • ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D13B7
                  • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1415
                  • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D143A
                  • AppendMenuA.USER32(?,?,?,?), ref: 004D1482
                  • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D14A7
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Menu$Append$Modify$CreatePopup
                  • String ID:
                  • API String ID: 3846898120-0
                  • Opcode ID: dfc1b30d91d85771c549fc8821bb69808352ab095a4db625c62500b608ca5f67
                  • Instruction ID: 3ca3c5f11a18d0389df6de3abe5525e56d9e18b861f02da71327df2c29421f20
                  • Opcode Fuzzy Hash: dfc1b30d91d85771c549fc8821bb69808352ab095a4db625c62500b608ca5f67
                  • Instruction Fuzzy Hash: 32D187B1A04301ABC714DF18C994A6BBBE4FF89754F04452EFD8993361E738AC01CBA6
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0053382B
                  • GetStdHandle.KERNEL32(000000F4,007C9F0C,00000000,00000000,00000000,?), ref: 00533901
                  • WriteFile.KERNEL32(00000000), ref: 00533908
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: File$HandleModuleNameWrite
                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                  • API String ID: 3784150691-4022980321
                  • Opcode ID: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
                  • Instruction ID: dccbd82ec216db72bf6106e4e92fe67ae9731e447ae98fb0bfc7402f44beb726
                  • Opcode Fuzzy Hash: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
                  • Instruction Fuzzy Hash: D131E7B2A01219BFDF24EA60CD4AF9A7B6CFF89340F10045EF545E6091D6B4EB44CB62
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID: %I64d$%lf
                  • API String ID: 0-1545097854
                  • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                  • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                  • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                  • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                  APIs
                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D73E), ref: 00533212
                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D73E), ref: 00533226
                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D73E), ref: 00533252
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D73E), ref: 0053328A
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D73E), ref: 005332AC
                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052D73E), ref: 005332C5
                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D73E), ref: 005332D8
                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00533316
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                  • String ID:
                  • API String ID: 1823725401-0
                  • Opcode ID: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
                  • Instruction ID: 22a0b6d07de66a25bb08c78f01f21aa964455fc57e5aec8a23ca5d53435c3ca0
                  • Opcode Fuzzy Hash: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
                  • Instruction Fuzzy Hash: 353106765082256FDB307F78AC8883BBFDCFB45318F250C29F542C3150EA218E848261
                  APIs
                  • IsWindow.USER32(?), ref: 004C031D
                  • GetParent.USER32(?), ref: 004C032F
                  • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C0357
                  • GetWindowRect.USER32(?,?), ref: 004C03E1
                  • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0404
                  • GetWindowRect.USER32(?,?), ref: 004C05CC
                  • InvalidateRect.USER32(?,?,00000001,?), ref: 004C05ED
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Rect$Window$Invalidate$MessageParentSend
                  • String ID:
                  • API String ID: 236041146-0
                  • Opcode ID: 1905557a3942eebccb37f757c4b203deab9c8b6e52ba5a1d26c9cb08863c26b6
                  • Instruction ID: ac0a85db4d11be9608977db859099771bab4360afac4b41f39c215cbcd98b5fc
                  • Opcode Fuzzy Hash: 1905557a3942eebccb37f757c4b203deab9c8b6e52ba5a1d26c9cb08863c26b6
                  • Instruction Fuzzy Hash: 6591E235600306ABCB24EF25C850F6B77E8AF84358F04051EFD459B392EB38ED058BA9
                  APIs
                  • GetStringTypeW.KERNEL32(00000001,007CA19C,00000001,?,7612EB00,0082CD44,?,?,0052F45D,?,?,?,00000000,00000001), ref: 0053A4F7
                  • GetStringTypeA.KERNEL32(00000000,00000001,007CA198,00000001,?,?,0052F45D,?,?,?,00000000,00000001), ref: 0053A511
                  • GetStringTypeA.KERNEL32(?,?,?,?,0052F45D,7612EB00,0082CD44,?,?,0052F45D,?,?,?,00000000,00000001), ref: 0053A545
                  • MultiByteToWideChar.KERNEL32(?,0082CD45,?,?,00000000,00000000,7612EB00,0082CD44,?,?,0052F45D,?,?,?,00000000,00000001), ref: 0053A57D
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052F45D,?), ref: 0053A5D3
                  • GetStringTypeW.KERNEL32(?,?,00000000,0052F45D,?,?,?,?,?,?,0052F45D,?), ref: 0053A5E5
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: StringType$ByteCharMultiWide
                  • String ID:
                  • API String ID: 3852931651-0
                  • Opcode ID: 778a831c9195a2c82a90abd30393a424486b55d1d058fbafc39a92695c8fe71b
                  • Instruction ID: 3ee85cd20f279303354b436b1faedb705bf07419141bb19f4d1a8418e2e57a4f
                  • Opcode Fuzzy Hash: 778a831c9195a2c82a90abd30393a424486b55d1d058fbafc39a92695c8fe71b
                  • Instruction Fuzzy Hash: 3141A972A00219AFCF218F94DC86EEE3F78FB08791F104929F952E2190D3318951DBA2
                  APIs
                  • TlsGetValue.KERNEL32(00828A84,00828A74,00000000,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 0054953A
                  • EnterCriticalSection.KERNEL32(00828AA0,00000010,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 00549589
                  • LeaveCriticalSection.KERNEL32(00828AA0,00000000,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 0054959C
                  • LocalAlloc.KERNEL32(00000000,00000004,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 005495B2
                  • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 005495C4
                  • TlsSetValue.KERNEL32(00828A84,00000000), ref: 00549600
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: AllocCriticalLocalSectionValue$EnterLeave
                  • String ID:
                  • API String ID: 4117633390-0
                  • Opcode ID: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
                  • Instruction ID: 1dfd17241d9b74a9ea21ef7d62a506bbf7920c7c5027f701114031e5ea0d7904
                  • Opcode Fuzzy Hash: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
                  • Instruction Fuzzy Hash: E5317C75200605EFD724CF25D89AFABBBE8FF85355F108618E41AC7690EB70E909CB61
                  APIs
                  • GetVersionExA.KERNEL32 ref: 005335FF
                  • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00533634
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00533694
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: EnvironmentFileModuleNameVariableVersion
                  • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                  • API String ID: 1385375860-4131005785
                  • Opcode ID: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
                  • Instruction ID: 8d8fe35a3f561c8bdfd68c82a0d0c75c9543b8309f19672070abd76986aacb94
                  • Opcode Fuzzy Hash: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
                  • Instruction Fuzzy Hash: 343139B29012587DEB318774AC97BDD3F68FB06744F2404E9D186D6282E7318F8ACB21
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A084
                    • Part of subcall function 0054A170: lstrlenA.KERNEL32(00000104,00000000,?,0054A0B4), ref: 0054A1A7
                  • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A125
                  • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A152
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: FileModuleNamelstrcatlstrcpylstrlen
                  • String ID: .HLP$.INI
                  • API String ID: 2421895198-3011182340
                  • Opcode ID: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
                  • Instruction ID: a9dc07c076400831da6a35d7c078f8e785966e9e89b5199b190b2d969ee069b6
                  • Opcode Fuzzy Hash: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
                  • Instruction Fuzzy Hash: 433190B5944719AFDB61DB74C889BC6BBFCFB04304F10486AE189D3151DB70AAC4CB20
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 867b56ae746394e622a6e5f218455718b4c2070060540e40bb1b6c2cf6ffa003
                  • Instruction ID: 38f320e7d0dd5d3c10ff9a8856fdc1e726634fb233e6aa16a00ef23ca8d0b178
                  • Opcode Fuzzy Hash: 867b56ae746394e622a6e5f218455718b4c2070060540e40bb1b6c2cf6ffa003
                  • Instruction Fuzzy Hash: 06C1E175504602AFC720DF24D881E6FB7E9EFC4348F44492EF84687251E738F9068BAA
                  APIs
                  • GetStartupInfoA.KERNEL32(?), ref: 00533387
                  • GetFileType.KERNEL32(?,?,00000000), ref: 00533432
                  • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00533495
                  • GetFileType.KERNEL32(00000000,?,00000000), ref: 005334A3
                  • SetHandleCount.KERNEL32 ref: 005334DA
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: FileHandleType$CountInfoStartup
                  • String ID:
                  • API String ID: 1710529072-0
                  • Opcode ID: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
                  • Instruction ID: 74d8043a3635a37d838404ca7af4e086272a51abf8528f270160bf6162de0ae8
                  • Opcode Fuzzy Hash: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
                  • Instruction Fuzzy Hash: 3E5123319007118FCB22CB78D89CA297FA0BB11324F298B68D5A6CB2E1D770DA4AD751
                  APIs
                  • midiStreamStop.WINMM(?,00000000,-000001A5,00000000,004D606A,00000000,007F9E08,004CC246), ref: 004D6535
                  • midiOutReset.WINMM(?), ref: 004D6553
                  • WaitForSingleObject.KERNEL32(?,000007D0), ref: 004D6576
                  • midiStreamClose.WINMM(?), ref: 004D65B3
                  • midiStreamClose.WINMM(?), ref: 004D65E7
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: midi$Stream$Close$ObjectResetSingleStopWait
                  • String ID:
                  • API String ID: 3142198506-0
                  • Opcode ID: 3c4d720d9cfef02ab93a990280a3187c80fd643b3b50966c0ec4732648aa1d48
                  • Instruction ID: 988a0fd31b17a728300f61c758b8637965478bc9c3ef666f4b3ba2d9c4353007
                  • Opcode Fuzzy Hash: 3c4d720d9cfef02ab93a990280a3187c80fd643b3b50966c0ec4732648aa1d48
                  • Instruction Fuzzy Hash: 3F316FB22007019BCB30DFA9F4A451BB7E5FB94301B114A3FE186C6744C738E885CB98
                  APIs
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Menu$Destroy$AcceleratorTableWindow
                  • String ID:
                  • API String ID: 1240299919-0
                  • Opcode ID: a453dbb0a03fb2ba0bf42701061a99a4b7668b13f71f9c2a0d727f225ddbe076
                  • Instruction ID: 36554a1229bff95b9c7ebfcce784b7310ff20c92f243050c45fa7fd8810c52a4
                  • Opcode Fuzzy Hash: a453dbb0a03fb2ba0bf42701061a99a4b7668b13f71f9c2a0d727f225ddbe076
                  • Instruction Fuzzy Hash: 7031D875600302AFC720EF65DC44D6B77A9EF85354F06851DFD0597252EA38E809CBB4
                  APIs
                  • GetLastError.KERNEL32(00000103,7FFFFFFF,0052FA52,00532367,00000000,?,?,00000000,00000001), ref: 0053354E
                  • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0053355C
                  • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 005335A8
                    • Part of subcall function 0052FE46: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 0052FF3C
                  • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533580
                  • GetCurrentThreadId.KERNEL32 ref: 00533591
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: ErrorLastValue$AllocCurrentHeapThread
                  • String ID:
                  • API String ID: 2020098873-0
                  • Opcode ID: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
                  • Instruction ID: 0e7a58b62c948d371e5ff3c271ec59c60880ea6736e985566ebb1825fd8c354e
                  • Opcode Fuzzy Hash: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
                  • Instruction Fuzzy Hash: 43F0F0325017326FC3222BB0FC0D6193FA4FF55772F100228F985D61E0DF248A41AAA1
                  APIs
                  • wsprintfA.USER32 ref: 10027B78
                  • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: Messagewsprintf
                  • String ID: error$program internal error number is %d. %s
                  • API String ID: 300413163-3752934751
                  • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                  • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                  • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                  • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                  APIs
                  • HeapAlloc.KERNEL32(00000000,00002020,007EADD0,007EADD0,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000), ref: 00537B5D
                  • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000), ref: 00537B81
                  • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000), ref: 00537B9B
                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000,?), ref: 00537C5C
                  • HeapFree.KERNEL32(00000000,00000000,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000,?,00000000), ref: 00537C73
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: AllocVirtual$FreeHeap
                  • String ID:
                  • API String ID: 714016831-0
                  • Opcode ID: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
                  • Instruction ID: 6a35e3bd04af06b030779d51ca545ccf687a38575416704342aa595f65feab3d
                  • Opcode Fuzzy Hash: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
                  • Instruction Fuzzy Hash: 833102B0A4570EAFD331CF24EC85B21BBE0FB48762F118639E1559B6D0E774A800DB49
                  APIs
                  • midiStreamOpen.WINMM(-00000189,-00000161,00000001,004D74A0,-000001A5,00030000,?,-000001A5,?,00000000), ref: 004D6E8B
                  • midiStreamProperty.WINMM ref: 004D6F72
                  • midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,-000001A5,?,00000000), ref: 004D70C0
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: midi$Stream$HeaderOpenPrepareProperty
                  • String ID:
                  • API String ID: 2061886437-0
                  • Opcode ID: 4076e3c4b64707c473674e55c22671dfc86078d403b6104fad3e7aada5d68b93
                  • Instruction ID: 63e6c9c4e2e3c0ff420810ebb7e5fd6224ef9a2c392ea44c9a747957adcafffb
                  • Opcode Fuzzy Hash: 4076e3c4b64707c473674e55c22671dfc86078d403b6104fad3e7aada5d68b93
                  • Instruction Fuzzy Hash: BBA17D752006058FD724DF28D8A4BAAB7F6FB88304F51492EE68AC7750EB35F919CB40
                  APIs
                  • IsWindow.USER32(00000000), ref: 004C2594
                  • GetParent.USER32(00000000), ref: 004C25E4
                  • IsWindow.USER32(?), ref: 004C2604
                  • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C267F
                    • Part of subcall function 00543C3A: ShowWindow.USER32(?,?,004C05FC,00000000), ref: 00543C48
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Window$ParentShow
                  • String ID:
                  • API String ID: 2052805569-0
                  • Opcode ID: 4d912f72f0b78821a8b226315d8a2e75bb1a573efdeaf9a9c98d1435f7f1b5b6
                  • Instruction ID: 2a871587bcb944ae5fb9d5229ba0dd85f121515a37cb47f0cc0f5f79347c90eb
                  • Opcode Fuzzy Hash: 4d912f72f0b78821a8b226315d8a2e75bb1a573efdeaf9a9c98d1435f7f1b5b6
                  • Instruction Fuzzy Hash: 6641CF75700301ABC760DE259D81FABB394AF84754F04052EFD059B381EBF8E9458BB9
                  APIs
                  • malloc.MSVCRT ref: 10029FB3
                  • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                  • free.MSVCRT ref: 10029FF6
                  • free.MSVCRT ref: 1002A014
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: free$Stringmalloc
                  • String ID:
                  • API String ID: 3576809655-0
                  • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                  • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                  • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                  • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                  APIs
                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                  • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                  • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                  Memory Dump Source
                  • Source File: 00000001.00000002.2650712243.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_10000000_213.jbxd
                  Similarity
                  • API ID: CloseFileHandle$CreateWrite
                  • String ID:
                  • API String ID: 3602564925-0
                  • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                  • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                  • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                  • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                  APIs
                  • GetCPInfo.KERNEL32(?,00000000), ref: 005328B3
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: Info
                  • String ID: $
                  • API String ID: 1807457897-3032137957
                  • Opcode ID: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
                  • Instruction ID: 0d80f1f921bbeecc0d851934b0f227089876febe5036028c6d85f1b562a0e34d
                  • Opcode Fuzzy Hash: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
                  • Instruction Fuzzy Hash: 9A4159321047586EDB229724DD59BFF7FA9FB05700F1404E5E689DB1A3C2B18984DBB2
                  APIs
                  • __EH_prolog.LIBCMT ref: 00545916
                    • Part of subcall function 0054527B: __EH_prolog.LIBCMT ref: 00545280
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID: V5 $x|
                  • API String ID: 3519838083-3630372689
                  • Opcode ID: 19b73d30a48ce6c5ee6d87ec05ae603fee767b029379fef4b886f0c0579fd1aa
                  • Instruction ID: 4dc0b2076bdff16775e983571f4649235ed723db5b6046283e933dc56bf7751b
                  • Opcode Fuzzy Hash: 19b73d30a48ce6c5ee6d87ec05ae603fee767b029379fef4b886f0c0579fd1aa
                  • Instruction Fuzzy Hash: B6F06871A44705EBDB28AF74844E7DD7FE0BB44728F10852EB506E75C2E6744A44CF54
                  APIs
                  • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00537462,00000000,00000000,00000000,0052F033,00000000,00000000,?,00000000,00000000,00000000), ref: 005376C2
                  • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00537462,00000000,00000000,00000000,0052F033,00000000,00000000,?,00000000,00000000,00000000), ref: 005376F6
                  • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00537710
                  • HeapFree.KERNEL32(00000000,?), ref: 00537727
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: AllocHeap$FreeVirtual
                  • String ID:
                  • API String ID: 3499195154-0
                  • Opcode ID: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
                  • Instruction ID: d88f095256ebd2bc95c4d204e3da2443ea4a3c9ea0d84491109f27dd9d04d5e1
                  • Opcode Fuzzy Hash: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
                  • Instruction Fuzzy Hash: D0114C70640741AFD7308F59EC8593A7FB6FF987A1B208A29F162D65B0C371A846DF80
                  APIs
                  • EnterCriticalSection.KERNEL32(00828C38,?,00000000,?,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA), ref: 0054A4A7
                  • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA), ref: 0054A4B9
                  • LeaveCriticalSection.KERNEL32(00828C38,?,00000000,?,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA), ref: 0054A4C2
                  • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA,005445D1), ref: 0054A4D4
                    • Part of subcall function 0054A3D9: GetVersion.KERNEL32(?,0054A47C,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA,005445D1,00545876), ref: 0054A3EC
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: CriticalSection$Enter$InitializeLeaveVersion
                  • String ID:
                  • API String ID: 1193629340-0
                  • Opcode ID: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
                  • Instruction ID: ef337a9b0004c7b2ad7d994ae533547e4aec21f7b429ef6062c26defdd8381b8
                  • Opcode Fuzzy Hash: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
                  • Instruction Fuzzy Hash: ECF0A43504231ADFCF60DF54EC98996B76CFB3031AB00442AE24583061DB34A45BDAA1
                  APIs
                  • InitializeCriticalSection.KERNEL32(?,005334EB,?,0052D718), ref: 00535DC8
                  • InitializeCriticalSection.KERNEL32(?,005334EB,?,0052D718), ref: 00535DD0
                  • InitializeCriticalSection.KERNEL32(?,005334EB,?,0052D718), ref: 00535DD8
                  • InitializeCriticalSection.KERNEL32(?,005334EB,?,0052D718), ref: 00535DE0
                  Memory Dump Source
                  • Source File: 00000001.00000002.2644483356.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.2644302926.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2645084904.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646089264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646155249.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646257280.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646301511.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646382024.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646489611.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646563203.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646637815.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000001.00000002.2646908340.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_213.jbxd
                  Similarity
                  • API ID: CriticalInitializeSection
                  • String ID:
                  • API String ID: 32694325-0
                  • Opcode ID: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
                  • Instruction ID: f09b7e46a3944a21f6efb323c7c42375265d9e7b4a21461fe96da00fa37f67c0
                  • Opcode Fuzzy Hash: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
                  • Instruction Fuzzy Hash: 71C002719021B4FBCA512B55FE89C463F67EB1C261301C077A1045D470862E2C50EFD6

                  Execution Graph

                  Execution Coverage:6.8%
                  Dynamic/Decrypted Code Coverage:50.5%
                  Signature Coverage:0%
                  Total number of Nodes:734
                  Total number of Limit Nodes:19
                  execution_graph 23232 10027c00 GetProcessHeap HeapReAlloc HeapAlloc 23235 10027008 6 API calls 23236 4cc640 143 API calls 23237 10029610 FreeLibrary 23299 10026f15 21 API calls 23240 10027218 31 API calls 23241 10026c1e 22 API calls 23242 1001221f 72 API calls 22357 4cc660 22360 4c6060 22357->22360 22359 4cc685 22361 4c609c 22360->22361 22362 4c60a0 22361->22362 22364 4c60b2 22361->22364 22443 4c43a0 130 API calls 22362->22443 22365 4c60e4 22364->22365 22366 4c625c 22364->22366 22367 4c620f 22365->22367 22368 4c61c1 22365->22368 22369 4c6172 22365->22369 22370 4c6113 22365->22370 22388 4c60ad 22365->22388 22389 4c63e6 22365->22389 22391 4c62f4 22365->22391 22393 4c64f0 22365->22393 22397 4c6490 22365->22397 22371 4c62a0 IsWindow 22366->22371 22385 4c62b6 22366->22385 22376 4c6247 22367->22376 22377 4c6232 22367->22377 22367->22388 22374 4c61fa 22368->22374 22375 4c61e5 22368->22375 22368->22388 22372 4c61ac 22369->22372 22373 4c6197 22369->22373 22369->22388 22444 52e484 29 API calls 22370->22444 22371->22385 22448 4c5f60 58 API calls 22372->22448 22447 4c5f60 58 API calls 22373->22447 22450 4c5f60 58 API calls 22374->22450 22449 4c5f60 58 API calls 22375->22449 22452 4c5f60 58 API calls 22376->22452 22451 4c5f60 58 API calls 22377->22451 22386 4c68c9 22385->22386 22387 4c62e2 22385->22387 22390 4c68e3 22386->22390 22464 4c43a0 130 API calls 22386->22464 22387->22388 22387->22389 22387->22391 22387->22393 22387->22397 22388->22359 22389->22388 22395 4c6435 GetWindowRect 22389->22395 22401 4c6a0a 22390->22401 22415 4c699c 22390->22415 22430 4c6918 22390->22430 22391->22388 22396 4c634d GetWindowRect GetParent 22391->22396 22392 4c612d 22392->22388 22445 4bfba0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22392->22445 22393->22388 22408 4c6594 22393->22408 22409 4c6585 22393->22409 22399 4c6474 22395->22399 22400 4c6456 22395->22400 22453 541264 66 API calls 22396->22453 22459 4bfba0 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22397->22459 22458 543beb SetWindowPos 22399->22458 22457 543beb SetWindowPos 22400->22457 22405 4c6b60 22401->22405 22424 4c6a1f 22401->22424 22404 4c6161 22446 4c5f60 58 API calls 22404->22446 22405->22430 22467 4ce0a0 70 API calls 22405->22467 22413 4c671a 22408->22413 22439 4c65b9 22408->22439 22460 543c3a 22409->22460 22410 4c6370 22414 4c6390 22410->22414 22454 543ad2 GetWindowLongA 22410->22454 22463 4c2520 92 API calls 22413->22463 22456 543baa MoveWindow 22414->22456 22415->22430 22465 4b1380 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 22415->22465 22420 4c6c63 IsWindow 22420->22388 22423 4c6c6e 22420->22423 22421 4c637d 22421->22414 22455 54609e GetWindowLongA ScreenToClient ScreenToClient 22421->22455 22423->22388 22427 4c6c82 22423->22427 22425 4c6a56 GetStockObject GetObjectA 22424->22425 22428 4c6a45 22424->22428 22425->22428 22468 4c3a90 PeekMessageA 22427->22468 22428->22430 22466 4ce0a0 70 API calls 22428->22466 22430->22388 22430->22420 22434 4c6caf 22436 4c3a90 67 API calls 22434->22436 22435 4c6701 22435->22388 22438 543c3a ShowWindow 22435->22438 22437 4c6cb6 22436->22437 22437->22388 22438->22388 22439->22388 22439->22435 22440 4c6664 IsWindow 22439->22440 22440->22435 22442 4c6676 22440->22442 22441 4b4770 SendMessageA 22441->22442 22442->22439 22442->22441 22443->22388 22444->22392 22445->22404 22446->22388 22447->22388 22448->22388 22449->22388 22450->22388 22451->22388 22452->22388 22453->22410 22454->22421 22455->22414 22456->22388 22457->22388 22458->22388 22459->22388 22461 543c50 22460->22461 22462 543c41 ShowWindow 22460->22462 22461->22388 22462->22461 22463->22388 22464->22390 22465->22430 22466->22430 22467->22430 22469 4c3aad 22468->22469 22470 4c3ad3 22468->22470 22469->22470 22472 4c3ac0 PeekMessageA 22469->22472 22474 5445cc 22469->22474 22473 4c3af0 110 API calls 22470->22473 22472->22469 22472->22470 22473->22434 22479 5491c5 22474->22479 22477 5445dd 22477->22469 22480 54919f 65 API calls 22479->22480 22481 5491ca 22480->22481 22489 549727 22481->22489 22484 54919f 22485 549727 65 API calls 22484->22485 22487 5491ae 22485->22487 22486 5491c4 22486->22477 22487->22486 22513 5497bc 22487->22513 22490 54975d TlsGetValue 22489->22490 22493 549730 22489->22493 22491 549770 22490->22491 22496 5445d1 22491->22496 22497 549783 22491->22497 22492 54974a 22501 5493c0 EnterCriticalSection 22492->22501 22493->22492 22500 549327 65 API calls 22493->22500 22495 54975b 22495->22490 22496->22477 22496->22484 22511 54952f 65 API calls 22497->22511 22500->22492 22503 5493df 22501->22503 22502 5494b0 LeaveCriticalSection 22502->22495 22504 54942c GlobalHandle GlobalUnlock GlobalReAlloc 22503->22504 22505 549419 GlobalAlloc 22503->22505 22510 54949b 22503->22510 22506 54944e 22504->22506 22505->22506 22507 549477 GlobalLock 22506->22507 22508 54945c GlobalHandle GlobalLock LeaveCriticalSection 22506->22508 22507->22510 22512 53d8b1 65 API calls __EH_prolog 22508->22512 22510->22502 22511->22496 22512->22507 22514 5497c6 __EH_prolog 22513->22514 22515 5497f4 22514->22515 22519 54a46c 6 API calls 22514->22519 22515->22486 22517 5497dd 22520 54a4dc LeaveCriticalSection 22517->22520 22519->22517 22520->22515 23245 10026e2e 35 API calls 23248 531e65 32 API calls 23304 10026f34 35 API calls 23305 10026d35 86 API calls 23249 100249fb 25 API calls 23250 10026c3d 21 API calls 22348 10027c40 22349 10027c86 22348->22349 22350 10027c4d 22348->22350 22351 10027c56 22350->22351 22352 10027c5b 22350->22352 22356 10027ae0 GetModuleHandleA 22351->22356 22352->22349 22354 10027c6b IsBadReadPtr 22352->22354 22354->22349 22355 10027c78 RtlFreeHeap 22354->22355 22355->22349 22356->22352 23308 530514 RtlUnwind 22641 10027a50 22642 10027a61 22641->22642 22643 10027a8a 22641->22643 22642->22643 22644 10027a64 22642->22644 22659 10026b52 ReleaseMutex NtClose 22643->22659 22653 10027aa0 GetProcessHeap 22644->22653 22647 10027a9b 22652 10027a85 22654 10027a6f 22653->22654 22655 10029790 22654->22655 22660 10027474 22655->22660 22658 10026b52 ReleaseMutex NtClose 22658->22652 22659->22647 22661 1002747c 22660->22661 22664 10018a96 22661->22664 22663 10027481 22663->22658 22665 10018aab 22664->22665 22668 10018ad3 22665->22668 22667 10018ab0 22667->22663 22669 10018aee 22668->22669 22715 10018eea CreateMutexA 22669->22715 22671 10018af3 22672 10018eea CreateMutexA 22671->22672 22673 10018afd HeapCreate 22672->22673 22674 10018b23 22673->22674 22675 10018b3a HeapCreate 22673->22675 22674->22675 22676 10018b60 22675->22676 22717 1000188f 22676->22717 22678 10018bc0 22723 1000b61e 22678->22723 22680 10018bdc 22681 1000188f 17 API calls 22680->22681 22682 10018c3b 22681->22682 22683 1000b61e 7 API calls 22682->22683 22684 10018c57 22683->22684 22685 1000188f 17 API calls 22684->22685 22686 10018cb6 22685->22686 22687 1000b61e 7 API calls 22686->22687 22688 10018cd2 22687->22688 22689 1000188f 17 API calls 22688->22689 22690 10018d31 22689->22690 22691 1000b61e 7 API calls 22690->22691 22692 10018d4d 22691->22692 22693 1000188f 17 API calls 22692->22693 22694 10018dac 22693->22694 22695 1000b61e 7 API calls 22694->22695 22696 10018dc8 22695->22696 22729 1000710e 22696->22729 22698 10018df2 22739 10018f34 22698->22739 22700 10018dfc 22753 100191e3 22700->22753 22702 10018e06 22765 1000ff10 22702->22765 22704 10018e37 22774 100114f9 22704->22774 22706 10018e43 22707 1000ff10 18 API calls 22706->22707 22708 10018e8f 22707->22708 22709 100114f9 18 API calls 22708->22709 22710 10018e9b 22709->22710 22780 10019f4c 22710->22780 22714 10018ecc 22714->22667 22716 10018f14 22715->22716 22716->22671 22722 100018bd 22717->22722 22718 10001ac2 22791 100283f0 22718->22791 22721 10001ae8 22721->22678 22722->22718 22818 10028090 _CIfmod 22722->22818 22724 1000b631 22723->22724 22830 1000b75c 22724->22830 22726 1000b65c 22727 1000b6cb LdrGetDllHandleEx 22726->22727 22728 1000b6ee 22727->22728 22728->22680 22730 10007121 22729->22730 22731 100071de GetVersionExA 22730->22731 22732 10007273 22731->22732 22853 10027ca0 22732->22853 22734 100072d2 22735 10007362 GetSystemInfo 22734->22735 22738 100074c6 22734->22738 22736 100073f5 22735->22736 22737 10007495 RtlGetNtVersionNumbers 22736->22737 22737->22738 22738->22698 22740 10018f4e 22739->22740 22742 10018f7e 22740->22742 22861 100289c0 22740->22861 22742->22700 22743 10018fad 22744 1000b61e 7 API calls 22743->22744 22745 10019053 22744->22745 22746 1000188f 17 API calls 22745->22746 22747 10019077 22746->22747 22748 10019081 22747->22748 22866 10006051 LdrGetProcedureAddress 22748->22866 22750 1001918a 22750->22742 22751 100190a4 22751->22750 22867 10001d56 IsBadCodePtr 22751->22867 22754 10019205 22753->22754 22756 10019212 22754->22756 22869 100188e1 22754->22869 22756->22702 22757 10019221 22874 100193c2 22757->22874 22759 100192bd 22760 100193c2 38 API calls 22759->22760 22761 10019331 22760->22761 22894 100198cc 22761->22894 22763 1001936a 22764 100198cc 25 API calls 22763->22764 22764->22756 22950 10027f20 22765->22950 22767 1000ff39 22768 10027f20 4 API calls 22767->22768 22769 1000ff58 22768->22769 22770 1000ffe0 RtlComputeCrc32 22769->22770 22771 10010003 22770->22771 22963 10010057 22771->22963 22773 10010034 22773->22704 22775 1001150f 22774->22775 22779 10011520 22774->22779 22776 1000188f 17 API calls 22775->22776 22776->22779 22777 10001d56 IsBadCodePtr 22778 1001161a 22777->22778 22778->22706 22779->22777 22781 10019f74 22780->22781 22782 10018ec7 22780->22782 22986 10019ff3 22781->22986 22790 1001a236 47 API calls 22782->22790 22786 10019fd3 22995 10007fdd 22786->22995 22788 10019fa2 22788->22786 22789 1001a0ce 21 API calls 22788->22789 22789->22788 22790->22714 22792 10028478 22791->22792 22801 1002840f 22791->22801 22793 10028483 22792->22793 22794 10028574 22792->22794 22795 10028489 22793->22795 22796 1002854f sprintf 22793->22796 22797 100285f2 22794->22797 22798 1002857b 22794->22798 22802 10028674 22795->22802 22807 10028517 22795->22807 22808 100284f9 22795->22808 22809 1002849e 22795->22809 22810 1002858f sprintf 22795->22810 22796->22809 22799 1002862a sprintf 22797->22799 22800 100285f9 22797->22800 22803 100285ce sprintf 22798->22803 22804 1002857d 22798->22804 22799->22809 22800->22802 22805 10028604 sprintf 22800->22805 22801->22802 22819 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22801->22819 22802->22721 22803->22809 22811 10028584 22804->22811 22812 100285ae sprintf 22804->22812 22805->22809 22821 10029dc0 6 API calls 22807->22821 22820 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22808->22820 22809->22802 22822 10027bb0 22809->22822 22810->22809 22811->22802 22811->22810 22812->22809 22815 10028469 22815->22721 22816 10028508 22816->22721 22818->22722 22819->22815 22820->22816 22821->22809 22823 10027bc4 RtlAllocateHeap 22822->22823 22824 10027bb9 GetProcessHeap 22822->22824 22825 10027bf5 22823->22825 22826 10027bd9 MessageBoxA 22823->22826 22824->22823 22825->22802 22829 10027b10 ExitProcess 22826->22829 22828 10027bf2 22828->22825 22829->22828 22831 1000b76f 22830->22831 22834 1000210d 22831->22834 22833 1000b7c1 22833->22726 22835 1000212e 22834->22835 22836 10002149 MultiByteToWideChar 22835->22836 22837 10002178 22836->22837 22845 100021b9 22837->22845 22846 100280c0 22837->22846 22839 100021dc 22840 1000220e MultiByteToWideChar 22839->22840 22841 10002239 22840->22841 22841->22845 22851 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22841->22851 22843 100022ce 22843->22845 22852 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22843->22852 22845->22833 22847 100280c9 22846->22847 22848 100280cd 22846->22848 22847->22839 22849 10027bb0 4 API calls 22848->22849 22850 100280d6 22849->22850 22850->22839 22851->22843 22852->22845 22854 10027cb1 22853->22854 22857 10027cb6 22853->22857 22860 10027ae0 GetModuleHandleA 22854->22860 22856 10027d14 22856->22734 22857->22856 22858 10027bb0 4 API calls 22857->22858 22859 10027cf9 22858->22859 22859->22734 22860->22857 22862 100289c9 22861->22862 22863 100289cd 22861->22863 22862->22743 22864 10027bb0 4 API calls 22863->22864 22865 100289d8 22864->22865 22865->22743 22866->22751 22868 10001d82 22867->22868 22868->22750 22870 100289c0 4 API calls 22869->22870 22871 1001890c 22870->22871 22872 10018926 GetSystemDirectoryA 22871->22872 22873 10018944 22872->22873 22873->22757 22875 100193ea 22874->22875 22909 100294c0 22875->22909 22877 10019463 22878 1001947d CopyFileA 22877->22878 22879 100194a0 22878->22879 22916 10028d40 CreateFileA 22879->22916 22881 100194da 22882 10028d40 8 API calls 22881->22882 22883 10019550 22881->22883 22882->22883 22921 10028e50 DeleteFileA 22883->22921 22885 1001959d 22922 10006495 22885->22922 22887 100195b3 22888 100195e3 RtlAllocateHeap 22887->22888 22891 10019832 22887->22891 22889 1001960e 22888->22889 22928 10008edd 26 API calls 22889->22928 22891->22759 22893 1001966e 22929 100094fb 26 API calls 22893->22929 22895 1001996d 22894->22895 22930 10019e6e 22895->22930 22897 10019977 22898 10019e6e 23 API calls 22897->22898 22899 100199e4 22898->22899 22900 10019e6e 23 API calls 22899->22900 22901 10019a2e 22900->22901 22902 10019e6e 23 API calls 22901->22902 22907 10019a78 22902->22907 22903 10019e55 22903->22763 22904 10019afa lstrlen 22904->22907 22906 10019e6e 23 API calls 22906->22907 22907->22903 22907->22904 22907->22906 22908 10027ca0 GetModuleHandleA ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22907->22908 22934 1000b48d 22907->22934 22908->22907 22910 100294d1 GetTempPathA 22909->22910 22911 100294e5 22909->22911 22910->22911 22912 10029543 GetTickCount wsprintfA PathFileExistsA 22911->22912 22912->22912 22913 1002956b 22912->22913 22914 10027bb0 4 API calls 22913->22914 22915 1002957f 22914->22915 22915->22877 22917 10028d64 GetFileSize 22916->22917 22918 10028da9 22916->22918 22919 10027bb0 4 API calls 22917->22919 22918->22881 22920 10028d7d ReadFile CloseHandle 22919->22920 22920->22918 22921->22885 22923 100064ad 22922->22923 22924 1000652f RtlMoveMemory 22923->22924 22927 1000679e 22923->22927 22925 10006669 22924->22925 22926 10027ca0 5 API calls 22925->22926 22926->22927 22927->22887 22928->22893 22929->22891 22931 10019e8e 22930->22931 22938 1000b266 22931->22938 22933 10019ea7 22933->22897 22936 1000b4a7 22934->22936 22935 100289c0 4 API calls 22937 1000b4e6 22935->22937 22936->22935 22937->22907 22939 1000b287 22938->22939 22940 1000b2ac 22938->22940 22939->22933 22947 100084a4 21 API calls 22940->22947 22942 1000b2b4 22943 1000b2bc 22942->22943 22944 1000b306 22942->22944 22943->22939 22948 1000b353 21 API calls 22943->22948 22944->22939 22949 1000b3f0 21 API calls 22944->22949 22947->22942 22948->22939 22949->22939 22951 10027f40 22950->22951 22953 10027f4c 22951->22953 22954 10027f80 22951->22954 22952 10027feb 22952->22767 22971 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22953->22971 22954->22952 22955 10027fc2 22954->22955 22956 10027f9b 22954->22956 22973 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22955->22973 22972 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22956->22972 22959 10027fb8 22959->22767 22960 10027f76 22960->22767 22962 10027fe1 22962->22767 22964 1001006f 22963->22964 22965 100283f0 16 API calls 22964->22965 22966 10010097 22965->22966 22974 10028ad0 22966->22974 22968 100100cc 22981 10028b30 22968->22981 22970 10010173 22970->22773 22971->22960 22972->22959 22973->22962 22975 10028b23 22974->22975 22976 10028ae4 22974->22976 22975->22968 22976->22975 22977 10027bb0 4 API calls 22976->22977 22978 10028afa 22977->22978 22979 10028b05 strncpy 22978->22979 22980 10028b19 22978->22980 22979->22979 22979->22980 22980->22968 22982 10028b91 22981->22982 22983 10028b45 22981->22983 22982->22970 22983->22982 22984 10027bb0 4 API calls 22983->22984 22985 10028b68 22984->22985 22985->22970 22987 1001a00d 22986->22987 23002 1001a031 22987->23002 22990 1001a0ce 22991 10027f20 4 API calls 22990->22991 22992 1001a0f7 22991->22992 23017 1001a199 22992->23017 22994 1001a16d 22994->22788 22996 100280c0 4 API calls 22995->22996 22997 1000800f 22996->22997 23028 10007db8 22997->23028 23000 10008069 NtClose 23001 1000807e 23000->23001 23001->22782 23003 1001a047 23002->23003 23004 1001a0a1 23002->23004 23005 1000188f 17 API calls 23003->23005 23012 10004b1b 23004->23012 23007 1001a058 23005->23007 23016 100031b3 6 API calls 23007->23016 23008 10019f88 23008->22782 23008->22990 23010 1001a074 23011 1001a087 InterlockedExchange 23010->23011 23011->23004 23013 10004b3d 23012->23013 23014 10004b2e 23012->23014 23013->23014 23015 10004baa LdrInitializeThunk 23013->23015 23014->23008 23015->23008 23016->23010 23018 1001a1af 23017->23018 23026 1001a209 23017->23026 23020 1000188f 17 API calls 23018->23020 23019 10004b1b LdrInitializeThunk 23021 1001a22b 23019->23021 23023 1001a1c0 23020->23023 23021->22994 23027 100031b3 6 API calls 23023->23027 23024 1001a1dc 23025 1001a1ef InterlockedExchange 23024->23025 23025->23026 23026->23019 23027->23024 23029 10007dce 23028->23029 23037 10007e28 23028->23037 23030 1000188f 17 API calls 23029->23030 23032 10007ddf 23030->23032 23031 10004b1b LdrInitializeThunk 23033 10007e4a 23031->23033 23038 100031b3 6 API calls 23032->23038 23033->23000 23033->23001 23035 10007dfb 23036 10007e0e InterlockedExchange 23035->23036 23036->23037 23037->23031 23038->23035 23256 10027050 63 API calls 23311 10011753 DispatchMessageA CallWindowProcA 23260 4cc620 130 API calls 23261 1002706f 46 API calls 23317 10026d73 89 API calls 23318 10026b71 23 API calls 23320 1002572d 24 API calls 23264 10026c7b HeapAlloc 23222 4b0c30 23223 4b0c3c 23222->23223 23226 4b0c4c 23222->23226 23231 4b0d00 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapAlloc HeapReAlloc 23223->23231 23225 4b0c46 23227 4b0cca RtlAllocateHeap 23226->23227 23228 4b0cbf GetProcessHeap 23226->23228 23229 4b0c54 23226->23229 23230 4b0ce1 23227->23230 23228->23227 23231->23225 23322 10026f7c 45 API calls 23267 1002708e 34 API calls 23326 10027192 60 API calls 23070 53f5cb 23073 52eebe 23070->23073 23074 52ef98 23073->23074 23075 52eeec 23073->23075 23076 52ef31 23075->23076 23077 52eef6 23075->23077 23079 52ef22 23076->23079 23093 535de4 29 API calls 23076->23093 23090 535de4 29 API calls 23077->23090 23079->23074 23081 52ef8a RtlFreeHeap 23079->23081 23080 52eefd 23084 52ef17 23080->23084 23091 537068 VirtualFree VirtualFree HeapFree 23080->23091 23081->23074 23083 52ef3d 23085 52ef69 23083->23085 23094 537def VirtualFree HeapFree VirtualFree 23083->23094 23092 52ef28 LeaveCriticalSection 23084->23092 23095 52ef80 LeaveCriticalSection 23085->23095 23090->23080 23091->23084 23092->23079 23093->23083 23094->23085 23095->23079 23329 10026f9b 23 API calls 23270 10026e99 90 API calls 23273 100274b1 10 API calls 23275 1002a472 __CxxFrameHandler 23276 10026eb8 91 API calls 23277 10026cb9 23 API calls 23280 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 23337 10026dc5 31 API calls 23281 548a9d 65 API calls __EH_prolog 23340 10026bd6 25 API calls 23284 100270d8 28 API calls 23285 10026cd8 22 API calls 23287 4cc890 HeapFree 23343 10026de4 85 API calls 22521 4cc2a0 22524 4cc280 22521->22524 22527 4c3fd0 22524->22527 22526 4cc291 22528 4c3ffb 22527->22528 22529 4c4093 22527->22529 22530 4c4023 GetProcAddress 22528->22530 22531 4c401a 22528->22531 22535 4c40c1 22529->22535 22555 4c432c 22529->22555 22608 52e338 6 API calls 22529->22608 22536 4c4076 22530->22536 22537 4c4043 22530->22537 22604 52e338 6 API calls 22531->22604 22545 4c41ff 22535->22545 22547 4c40ec 22535->22547 22607 4c3fb0 35 API calls 22536->22607 22605 4cd760 37 API calls 22537->22605 22540 4c4204 LoadLibraryA 22543 4c4214 GetProcAddress 22540->22543 22540->22545 22541 4c4053 22606 4c43a0 130 API calls 22541->22606 22542 4c407d 22542->22526 22543->22545 22545->22540 22549 4c425a 22545->22549 22551 4c4246 FreeLibrary 22545->22551 22546 4c41ca LoadLibraryA 22546->22549 22550 4c41d7 GetProcAddress 22546->22550 22547->22546 22552 4c4118 22547->22552 22553 4c4140 22547->22553 22548 4c4065 22554 53f861 32 API calls 22548->22554 22549->22555 22559 4c426f FreeLibrary 22549->22559 22560 4c4276 22549->22560 22550->22549 22557 4c41e7 22550->22557 22551->22545 22558 53faaa 38 API calls 22552->22558 22589 53faaa 22553->22589 22554->22536 22555->22526 22557->22549 22562 4c4124 LoadLibraryA 22558->22562 22559->22560 22565 4c42da 22560->22565 22566 4c4287 22560->22566 22564 53f861 32 API calls 22562->22564 22563 53faaa 38 API calls 22567 4c416a LoadLibraryA 22563->22567 22568 4c4134 22564->22568 22611 4cd760 37 API calls 22565->22611 22609 4cd760 37 API calls 22566->22609 22599 53f861 22567->22599 22568->22550 22568->22553 22572 4c429c 22610 4c43a0 130 API calls 22572->22610 22574 4c42ee 22612 4c43a0 130 API calls 22574->22612 22576 53f861 32 API calls 22579 4c418b 22576->22579 22578 4c42b3 22581 53f861 32 API calls 22578->22581 22579->22550 22585 4c41c2 22579->22585 22586 53faaa 38 API calls 22579->22586 22580 4c4305 22582 53f861 32 API calls 22580->22582 22584 4c42c4 22581->22584 22583 4c4316 22582->22583 22583->22526 22584->22526 22585->22546 22585->22550 22587 4c41b2 LoadLibraryA 22586->22587 22588 53f861 32 API calls 22587->22588 22588->22585 22590 53fab4 __EH_prolog 22589->22590 22591 53fad3 lstrlenA 22590->22591 22592 53facf 22590->22592 22591->22592 22613 53fa06 22592->22613 22594 53faf1 22617 53f5d6 22594->22617 22597 53f861 32 API calls 22598 4c4156 22597->22598 22598->22563 22600 53f871 InterlockedDecrement 22599->22600 22601 4c417a 22599->22601 22600->22601 22602 53f87f 22600->22602 22601->22576 22640 53f750 31 API calls 22602->22640 22604->22530 22605->22541 22606->22548 22607->22542 22608->22535 22609->22572 22610->22578 22611->22574 22612->22580 22614 53fa1a 22613->22614 22615 53fa20 22613->22615 22622 53f6ce 22614->22622 22615->22594 22618 53f5f3 22617->22618 22619 53f5e5 InterlockedIncrement 22617->22619 22639 53f99e 35 API calls 22618->22639 22620 53f603 22619->22620 22620->22597 22623 53f6da 22622->22623 22625 53f6e3 22622->22625 22623->22615 22624 53f6eb 22629 52d52c 22624->22629 22625->22624 22627 53f72a 22625->22627 22636 53f5a2 29 API calls 22627->22636 22637 530f14 22629->22637 22631 52d536 EnterCriticalSection 22632 52d554 22631->22632 22633 52d585 LeaveCriticalSection 22631->22633 22638 53f08b 29 API calls 22632->22638 22633->22623 22635 52d566 22635->22633 22636->22623 22637->22631 22638->22635 22639->22620 22640->22601 23347 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 23348 100293f0 ??3@YAXPAX 23292 10026ef6 76 API calls 23039 52efa7 23042 52efb9 23039->23042 23043 52efb6 23042->23043 23045 52efc0 23042->23045 23045->23043 23046 52efe5 23045->23046 23047 52f012 23046->23047 23048 52f055 23046->23048 23058 52f040 23047->23058 23064 535de4 29 API calls 23047->23064 23052 52f077 23048->23052 23048->23058 23050 52f0c4 RtlAllocateHeap 23060 52f047 23050->23060 23051 52f028 23065 537391 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 23051->23065 23067 535de4 29 API calls 23052->23067 23055 52f033 23066 52f04c LeaveCriticalSection 23055->23066 23057 52f07e 23068 537e34 6 API calls 23057->23068 23058->23050 23058->23060 23060->23045 23061 52f091 23069 52f0ab LeaveCriticalSection 23061->23069 23063 52f09e 23063->23058 23063->23060 23064->23051 23065->23055 23066->23058 23067->23057 23068->23061 23069->23063 23293 10026cf7 43 API calls 23096 52d6a8 GetVersion 23128 533728 HeapCreate 23096->23128 23098 52d706 23099 52d713 23098->23099 23100 52d70b 23098->23100 23140 5334e5 37 API calls 23099->23140 23148 52d7d5 8 API calls 23100->23148 23103 52d718 23105 52d724 23103->23105 23106 52d71c 23103->23106 23141 533329 34 API calls 23105->23141 23149 52d7d5 8 API calls 23106->23149 23110 52d72e GetCommandLineA 23142 5331f7 37 API calls 23110->23142 23112 52d73e 23150 532faa 49 API calls 23112->23150 23114 52d748 23143 532ef1 48 API calls 23114->23143 23116 52d74d 23117 52d752 GetStartupInfoA 23116->23117 23144 532e99 48 API calls 23117->23144 23119 52d764 23120 52d76d 23119->23120 23121 52d776 GetModuleHandleA 23120->23121 23145 53d00e 23121->23145 23125 52d791 23152 532d21 36 API calls 23125->23152 23127 52d7a2 23129 533748 23128->23129 23130 53377e 23128->23130 23153 5335e0 57 API calls 23129->23153 23130->23098 23132 53374d 23133 533757 23132->23133 23134 533764 23132->23134 23154 536ff5 HeapAlloc 23133->23154 23136 533781 23134->23136 23155 537b3c HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 23134->23155 23136->23098 23137 533761 23137->23136 23139 533772 HeapDestroy 23137->23139 23139->23130 23140->23103 23141->23110 23142->23112 23143->23116 23144->23119 23156 54586b 23145->23156 23150->23114 23151 531e54 32 API calls 23151->23125 23152->23127 23153->23132 23154->23137 23155->23137 23157 5445cc 65 API calls 23156->23157 23158 545876 23157->23158 23159 54919f 65 API calls 23158->23159 23160 54587d 23159->23160 23167 549ff0 SetErrorMode SetErrorMode 23160->23167 23164 52d788 23164->23151 23165 5458b2 23178 54a8af 68 API calls 23165->23178 23166 53f6ce 31 API calls 23166->23165 23168 54919f 65 API calls 23167->23168 23169 54a007 23168->23169 23170 54919f 65 API calls 23169->23170 23171 54a016 23170->23171 23172 54a03c 23171->23172 23179 54a053 23171->23179 23173 54919f 65 API calls 23172->23173 23175 54a041 23173->23175 23176 545895 23175->23176 23198 5445e1 23175->23198 23176->23165 23176->23166 23178->23164 23180 54919f 65 API calls 23179->23180 23181 54a066 GetModuleFileNameA 23180->23181 23209 52f677 29 API calls 23181->23209 23183 54a098 23210 54a170 lstrlenA lstrcpynA 23183->23210 23185 54a0b4 23186 54a0ca 23185->23186 23215 531dfc 29 API calls 23185->23215 23197 54a104 23186->23197 23211 545151 23186->23211 23189 54a11c lstrcpyA 23217 531dfc 29 API calls 23189->23217 23190 54a137 23191 54a146 lstrcatA 23190->23191 23195 54a164 23190->23195 23218 531dfc 29 API calls 23191->23218 23195->23172 23197->23189 23197->23190 23199 54919f 65 API calls 23198->23199 23200 5445e6 23199->23200 23201 54463e 23200->23201 23219 548f68 23200->23219 23201->23176 23204 5497bc 7 API calls 23205 54461c 23204->23205 23206 544629 23205->23206 23207 54919f 65 API calls 23205->23207 23208 549727 65 API calls 23206->23208 23207->23206 23208->23201 23209->23183 23210->23185 23212 54919f 65 API calls 23211->23212 23213 545157 LoadStringA 23212->23213 23214 545172 23213->23214 23216 531dfc 29 API calls 23214->23216 23215->23186 23216->23197 23217->23190 23218->23195 23220 549727 65 API calls 23219->23220 23221 5445f2 GetCurrentThreadId SetWindowsHookExA 23220->23221 23221->23204

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 753 100193c2-10019472 call 1002748d * 3 call 100294c0 762 10019474-1001947a call 10027487 753->762 763 1001947d-1001949e CopyFileA 753->763 762->763 765 100194a0-100194b4 call 10027499 763->765 766 100194b7-100194c3 763->766 765->766 769 100194c5 766->769 770 100194ca-100194e9 call 10028d40 766->770 769->770 774 100194f4-10019504 770->774 775 100194eb-100194f1 call 10027487 770->775 776 10019506 774->776 777 1001950b-10019525 call 10028000 774->777 775->774 776->777 782 1001952b-10019539 777->782 783 1001956e-10019586 call 1000241a 777->783 785 10019540-1001955f call 10028d40 782->785 786 1001953b 782->786 789 10019588 783->789 790 1001958d-100195b5 call 10028e50 call 10006495 783->790 793 10019561-10019567 call 10027487 785->793 794 1001956a-1001956b 785->794 786->785 789->790 800 100195d6 790->800 801 100195bb-100195c9 790->801 793->794 794->783 803 100195db-100195dd 800->803 801->800 802 100195cf-100195d4 801->802 802->803 804 100195e3-1001960c RtlAllocateHeap 803->804 805 10019832-10019840 803->805 807 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 804->807 808 1001960e-10019622 call 10027499 804->808 810 10019842-10019848 call 10027487 805->810 811 1001984b-10019850 805->811 839 10019689-10019691 807->839 808->807 810->811 815 10019852-10019858 call 10027487 811->815 816 1001985b-10019882 call 10027487 * 2 811->816 815->816 830 10019895 816->830 831 10019884 816->831 833 1001989b-100198bb call 10027487 * 2 830->833 834 100198bd-100198c9 call 10027487 830->834 832 10019886-1001988a 831->832 836 10019891-10019893 832->836 837 1001988c-1001988f 832->837 833->834 836->830 837->832 842 10019822-1001982d call 100094fb 839->842 843 10019697-100196a5 call 10001000 839->843 842->805 850 100196a7-100196bb call 10027499 843->850 851 100196be-100196c2 843->851 850->851 852 100196c4-100196d8 call 10027499 851->852 853 100196db-10019736 call 10001b27 call 10001000 851->853 852->853 862 10019738-1001974c call 10027499 853->862 863 1001974f-10019753 853->863 862->863 865 10019755-10019769 call 10027499 863->865 866 1001976c-100197c7 call 10001b27 call 10001000 863->866 865->866 874 100197e0-100197e4 866->874 875 100197c9-100197dd call 10027499 866->875 877 100197e6-100197fa call 10027499 874->877 878 100197fd-1001981d call 10007b67 874->878 875->874 877->878 878->839
                  APIs
                    • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                    • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                    • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                    • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                  • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                  • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                  • String ID: @
                  • API String ID: 183890193-2766056989
                  • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                  • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                  • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                  • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 899 1000710e-10007271 call 1002748d * 5 GetVersionExA 910 10007273-10007287 call 10027499 899->910 911 1000728a-100072e2 call 10027ca0 899->911 910->911 916 100072f3-100072f9 911->916 917 100072e4 911->917 919 10007300-1000734b call 10027487 916->919 920 100072fb 916->920 918 100072e6-100072ea 917->918 921 100072f1 918->921 922 100072ec-100072ef 918->922 925 10007351-100073f3 call 1002748d GetSystemInfo 919->925 926 100077ad-100077b2 919->926 920->919 921->916 922->918 931 100073f5-10007409 call 10027499 925->931 932 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 925->932 928 100077b7-100077f1 call 10027487 * 4 926->928 931->932 940 100074c6-100074da call 10027499 932->940 941 100074dd-10007520 932->941 940->941 944 10007552-10007556 941->944 945 10007526-1000752a 941->945 947 10007630-10007634 944->947 948 1000755c-10007560 944->948 950 10007530-10007534 945->950 951 1000754d 945->951 957 1000778a-1000778e 947->957 958 1000763a-1000763e 947->958 955 10007591-10007595 948->955 956 10007566-10007574 948->956 959 10007546 950->959 960 1000753a-10007541 950->960 954 100077a5-100077a8 951->954 954->928 964 100075c6-100075ca 955->964 965 1000759b-100075a9 955->965 961 10007584 956->961 962 1000757a-1000757f 956->962 957->954 963 10007794-10007798 957->963 966 10007650-10007654 958->966 967 10007644-1000764b 958->967 959->951 960->951 968 10007589-1000758c 961->968 962->968 963->954 969 1000779e 963->969 974 100075d0-100075de 964->974 975 100075fb-100075ff 964->975 970 100075b9 965->970 971 100075af-100075b4 965->971 972 10007785 966->972 973 1000765a-1000766f 966->973 967->972 977 1000762b 968->977 969->954 978 100075be-100075c1 970->978 971->978 972->954 986 10007671-10007685 call 10027499 973->986 987 10007688-1000768f 973->987 979 100075e4-100075e9 974->979 980 100075ee 974->980 976 10007605-10007613 975->976 975->977 982 10007623 976->982 983 10007619-1000761e 976->983 977->954 978->977 981 100075f3-100075f6 979->981 980->981 981->977 985 10007628 982->985 983->985 985->977 986->987 988 100076a1-100076a5 987->988 989 10007695-1000769c 987->989 992 100076c7 988->992 993 100076ab-100076ba 988->993 989->972 995 100076cc-100076ce 992->995 993->992 994 100076c0-100076c5 993->994 994->995 996 100076e0-1000771d call 10028950 995->996 997 100076d4-100076db 995->997 1000 10007723-1000772a 996->1000 1001 1000772f-1000776c call 10028950 996->1001 997->972 1000->972 1004 10007772-10007779 1001->1004 1005 1000777e 1001->1005 1004->972 1005->972
                  APIs
                  • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                  • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                  • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: Version$InfoNumbersSystem
                  • String ID:
                  • API String ID: 995872648-0
                  • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                  • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                  • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                  • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1006 100198cc-100199a5 call 10001020 call 10019e6e call 10001020 1013 100199b5 1006->1013 1014 100199ab-100199b0 1006->1014 1015 100199ba-10019a86 call 10001020 call 10019e6e call 10001020 * 2 call 10019e6e call 10001020 * 2 call 10019e6e 1013->1015 1014->1015 1032 10019a87-10019a8f 1015->1032 1033 10019e55-10019e5d 1032->1033 1034 10019a95-10019b13 call 10001020 call 10019e6e call 10001020 lstrlen 1032->1034 1036 10019e68-10019e6b 1033->1036 1037 10019e5f-10019e65 call 10027487 1033->1037 1045 10019b15-10019b29 call 10027499 1034->1045 1046 10019b2c-10019b3b call 1000b48d 1034->1046 1037->1036 1045->1046 1050 10019b40-10019b44 1046->1050 1051 10019be0 1050->1051 1052 10019b4a-10019b62 1050->1052 1053 10019be5-10019be7 1051->1053 1054 10019b64 1052->1054 1055 10019b69-10019b83 call 10028030 1052->1055 1056 10019c07-10019c1a call 10001b86 1053->1056 1057 10019bed-10019bf8 1053->1057 1054->1055 1064 10019b89-10019ba1 1055->1064 1065 10019bcc 1055->1065 1071 10019c20-10019c5e call 10027ca0 call 10001000 1056->1071 1072 10019e4d-10019e50 1056->1072 1059 10019c03-10019c04 1057->1059 1060 10019bfa-10019c00 call 10027487 1057->1060 1059->1056 1060->1059 1069 10019ba3 1064->1069 1070 10019ba8-10019bc2 call 10028030 1064->1070 1067 10019bd1-10019bd3 1065->1067 1067->1051 1073 10019bd9-10019bde 1067->1073 1069->1070 1070->1065 1079 10019bc8-10019bca 1070->1079 1081 10019c60-10019c62 1071->1081 1082 10019c64-10019c92 call 100274ab 1071->1082 1072->1032 1073->1053 1079->1067 1081->1082 1085 10019c94-10019ca7 call 10004c15 call 1002748d 1082->1085 1086 10019ca9-10019e1a call 10001020 call 10019e6e call 10001020 * 2 call 10019e6e call 10019eb5 call 10001020 call 10019e6e call 10001020 call 10019e6e call 10001020 call 10027ca0 call 10001000 1082->1086 1085->1086 1117 10019e20-10019e4b call 100274ab 1086->1117 1118 10019e1c-10019e1e 1086->1118 1117->1072 1118->1117
                  APIs
                  • lstrlen.KERNEL32(00000000,FFFFFFFF,00000000,?,00000000,00000000,00000001,FFFFFFFF,00000000,?,FFFFFFFF,00000000,?,FFFFFFFF,00000000), ref: 10019B06
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: lstrlen
                  • String ID: Z$w
                  • API String ID: 1659193697-2716038989
                  • Opcode ID: b821f9bf040da37c44fd0503dcae877c7611da7f3909d027b8be583757176cb2
                  • Instruction ID: 282b89e6495933af6440fbbb597b1de90ef5dffa39cee2d72f7ed257570ffe54
                  • Opcode Fuzzy Hash: b821f9bf040da37c44fd0503dcae877c7611da7f3909d027b8be583757176cb2
                  • Instruction Fuzzy Hash: 550202B0D0061CDBEB10DFE1E9897EDBBB4FF48340F2140A4E485BA249DB725AA5CB55

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1121 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1127 10018b23-10018b37 call 10027499 1121->1127 1128 10018b3a-10018b5e HeapCreate 1121->1128 1127->1128 1129 10018b60-10018b74 call 10027499 1128->1129 1130 10018b77-10018b8e call 10001000 1128->1130 1129->1130 1137 10018b90-10018ba4 call 10027499 1130->1137 1138 10018ba7-10018bc8 call 1000188f 1130->1138 1137->1138 1143 10018bd3-10018be4 call 1000b61e 1138->1143 1144 10018bca-10018bd0 call 10027487 1138->1144 1149 10018be6-10018bec call 10027487 1143->1149 1150 10018bef-10018c09 call 10001000 1143->1150 1144->1143 1149->1150 1155 10018c22-10018c43 call 1000188f 1150->1155 1156 10018c0b-10018c1f call 10027499 1150->1156 1161 10018c45-10018c4b call 10027487 1155->1161 1162 10018c4e-10018c5f call 1000b61e 1155->1162 1156->1155 1161->1162 1167 10018c61-10018c67 call 10027487 1162->1167 1168 10018c6a-10018c84 call 10001000 1162->1168 1167->1168 1173 10018c86-10018c9a call 10027499 1168->1173 1174 10018c9d-10018cbe call 1000188f 1168->1174 1173->1174 1179 10018cc0-10018cc6 call 10027487 1174->1179 1180 10018cc9-10018cda call 1000b61e 1174->1180 1179->1180 1185 10018ce5-10018cff call 10001000 1180->1185 1186 10018cdc-10018ce2 call 10027487 1180->1186 1191 10018d01-10018d15 call 10027499 1185->1191 1192 10018d18-10018d39 call 1000188f 1185->1192 1186->1185 1191->1192 1197 10018d44-10018d55 call 1000b61e 1192->1197 1198 10018d3b-10018d41 call 10027487 1192->1198 1203 10018d60-10018d7a call 10001000 1197->1203 1204 10018d57-10018d5d call 10027487 1197->1204 1198->1197 1209 10018d93-10018db4 call 1000188f 1203->1209 1210 10018d7c-10018d90 call 10027499 1203->1210 1204->1203 1215 10018db6-10018dbc call 10027487 1209->1215 1216 10018dbf-10018dd0 call 1000b61e 1209->1216 1210->1209 1215->1216 1221 10018dd2-10018dd8 call 10027487 1216->1221 1222 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1216->1222 1221->1222 1239 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1222->1239 1240 10018e4d-10018e53 call 10027487 1222->1240 1249 10018ea5-10018eab call 10027487 1239->1249 1250 10018eae-10018ec2 call 10019f4c 1239->1250 1240->1239 1249->1250 1254 10018ec7-10018ee9 call 1001a236 1250->1254
                  APIs
                    • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                  • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                  • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                    • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: Create$Heap$ComputeCrc32Mutex
                  • String ID:
                  • API String ID: 3311811139-0
                  • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                  • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                  • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                  • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52
                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: Close
                  • String ID:
                  • API String ID: 3535843008-0
                  • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                  • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                  • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                  • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91
                  APIs
                  • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: ExchangeInterlocked
                  • String ID:
                  • API String ID: 367298776-0
                  • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                  • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                  • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                  • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                  APIs
                  • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: CreateMutex
                  • String ID:
                  • API String ID: 1964310414-0
                  • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                  • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                  • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                  • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 228 4c3fd0-4c3ff5 229 4c3ffb-4c4006 228->229 230 4c4093-4c40a2 228->230 233 4c4008-4c4012 229->233 234 4c4015-4c4018 229->234 231 4c434f-4c4360 230->231 232 4c40a8-4c40b8 230->232 235 4c40c9-4c40e6 call 4b15d0 232->235 236 4c40ba-4c40c4 call 52e338 232->236 233->234 237 4c402d 234->237 238 4c401a-4c402b call 52e338 234->238 248 4c40ec-4c40ff call 52f350 235->248 249 4c41ff 235->249 236->235 242 4c402f-4c4041 GetProcAddress 237->242 238->242 246 4c4076-4c4090 call 4c3fb0 242->246 247 4c4043-4c4071 call 4cd760 call 4c43a0 call 53f861 242->247 247->246 262 4c41ca-4c41d1 LoadLibraryA 248->262 263 4c4105-4c4116 248->263 252 4c4204-4c4212 LoadLibraryA 249->252 256 4c424f-4c4258 252->256 257 4c4214-4c4222 GetProcAddress 252->257 256->252 265 4c425a-4c4265 256->265 260 4c423a-4c4244 257->260 261 4c4224-4c422f 257->261 260->265 268 4c4246-4c424d FreeLibrary 260->268 261->260 267 4c4231-4c4237 261->267 262->265 266 4c41d7-4c41e5 GetProcAddress 262->266 269 4c4118-4c4136 call 53faaa LoadLibraryA call 53f861 263->269 270 4c4140-4c418d call 53faaa * 2 LoadLibraryA call 53f861 * 2 263->270 272 4c432c-4c432e 265->272 273 4c426b-4c426d 265->273 266->265 277 4c41e7-4c41f2 266->277 267->260 268->256 269->266 293 4c413c 269->293 270->266 307 4c418f-4c41a0 270->307 275 4c4346-4c434c 272->275 276 4c4330-4c433b 272->276 279 4c426f-4c4270 FreeLibrary 273->279 280 4c4276-4c4285 call 4b15d0 273->280 275->231 276->275 283 4c433d-4c4343 276->283 277->265 284 4c41f4-4c41fd 277->284 279->280 289 4c42da-4c4329 call 4cd760 call 4c43a0 call 53f861 280->289 290 4c4287-4c42d7 call 4cd760 call 4c43a0 call 53f861 280->290 283->275 284->265 293->270 311 4c41c2-4c41c4 307->311 312 4c41a2-4c41bd call 53faaa LoadLibraryA call 53f861 307->312 311->266 313 4c41c6 311->313 312->311 313->262
                  APIs
                  • GetProcAddress.KERNEL32(00000000,007E95F4), ref: 004C4037
                  • LoadLibraryA.KERNEL32(?,?,007F9FD8), ref: 004C4127
                  • LoadLibraryA.KERNEL32(?,?), ref: 004C416D
                  • LoadLibraryA.KERNEL32(?,?,007F9EE0,00000001), ref: 004C41B5
                  • LoadLibraryA.KERNEL32(00000001), ref: 004C41CB
                  • GetProcAddress.KERNEL32(00000000,?), ref: 004C41DD
                  • FreeLibrary.KERNEL32(00000000), ref: 004C4270
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Library$Load$AddressProc$Free
                  • String ID:
                  • API String ID: 3120990465-0
                  • Opcode ID: 7d23c86e5f4d8fdc60b7376af7fe00b9b921ff9eb7a82e5f92403be5a2653610
                  • Instruction ID: 0d97a38ab59ea2454446a38efc438f5ac4c2006ed55e6cbcbc5fa747bc10463a
                  • Opcode Fuzzy Hash: 7d23c86e5f4d8fdc60b7376af7fe00b9b921ff9eb7a82e5f92403be5a2653610
                  • Instruction Fuzzy Hash: 98A1EEB5A00702ABC714DF65C895FABB3A8BFD8314F044A2EF95587341DB38E9058B96

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 317 5493c0-5493dd EnterCriticalSection 318 5493ec-5493f1 317->318 319 5493df-5493e6 317->319 321 5493f3-5493f6 318->321 322 54940e-549417 318->322 319->318 320 5494a5-5494a8 319->320 323 5494b0-5494d1 LeaveCriticalSection 320->323 324 5494aa-5494ad 320->324 325 5493f9-5493fc 321->325 326 54942c-549448 GlobalHandle GlobalUnlock GlobalReAlloc 322->326 327 549419-54942a GlobalAlloc 322->327 324->323 328 549406-549408 325->328 329 5493fe-549404 325->329 330 54944e-54945a 326->330 327->330 328->320 328->322 329->325 329->328 331 549477-5494a4 GlobalLock call 530fd0 330->331 332 54945c-549472 GlobalHandle GlobalLock LeaveCriticalSection call 53d8b1 330->332 331->320 332->331
                  APIs
                  • EnterCriticalSection.KERNEL32(00828AA0,00828A74,00000000,?,00828A84,00828A84,0054975B,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876,?,00000000), ref: 005493CF
                  • GlobalAlloc.KERNEL32(00002002,00000000,?,?,00828A84,00828A84,0054975B,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876,?,00000000), ref: 00549424
                  • GlobalHandle.KERNEL32(00B0A470), ref: 0054942D
                  • GlobalUnlock.KERNEL32(00000000), ref: 00549436
                  • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549448
                  • GlobalHandle.KERNEL32(00B0A470), ref: 0054945F
                  • GlobalLock.KERNEL32(00000000), ref: 00549466
                  • LeaveCriticalSection.KERNEL32(0052D788,?,?,00828A84,00828A84,0054975B,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876,?,00000000), ref: 0054946C
                  • GlobalLock.KERNEL32(00000000), ref: 0054947B
                  • LeaveCriticalSection.KERNEL32(?), ref: 005494C4
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                  • String ID:
                  • API String ID: 2667261700-0
                  • Opcode ID: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                  • Instruction ID: 0680607167dcfb51be68af9fc07181946f114734a34a74dd25a2467039290072
                  • Opcode Fuzzy Hash: ad25314e3ab3a8c0cbd963cee62433216bdfd4a3f84765b6980d9fd789afd86f
                  • Instruction Fuzzy Hash: 6B3186752007069FDB249F24DC9EA6BBBE9FB84305F014A2DF852C36A1D771E849CB10

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 470 100294c0-100294cf 471 100294d1-100294e3 GetTempPathA 470->471 472 100294eb-10029511 470->472 473 10029513-1002952c 471->473 474 100294e5-100294e9 471->474 472->473 475 10029531-1002953d 473->475 476 1002952e 473->476 474->473 477 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 475->477 476->475 477->477 478 1002956b-100295b3 call 10027bb0 477->478
                  APIs
                  • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                  • GetTickCount.KERNEL32 ref: 10029543
                  • wsprintfA.USER32 ref: 10029558
                  • PathFileExistsA.SHLWAPI(?), ref: 10029565
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: Path$CountExistsFileTempTickwsprintf
                  • String ID: %s%x.tmp
                  • API String ID: 3843276195-78920241
                  • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                  • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                  • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                  • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 741 10027bb0-10027bb7 742 10027bc4-10027bd7 RtlAllocateHeap 741->742 743 10027bb9-10027bbf GetProcessHeap 741->743 744 10027bf5-10027bf8 742->744 745 10027bd9-10027bf2 MessageBoxA call 10027b10 742->745 743->742 745->744
                  APIs
                  • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                  • RtlAllocateHeap.NTDLL(00B00000,00000008,?,?,10028674), ref: 10027BCD
                  • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: Heap$AllocateMessageProcess
                  • String ID: error
                  • API String ID: 2992861138-1574812785
                  • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                  • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                  • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                  • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                  Control-flow Graph

                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                  • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                    • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                    • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00B00000,00000008,?,?,10028674), ref: 10027BCD
                    • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                  • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                  • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                  • String ID:
                  • API String ID: 749537981-0
                  • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                  • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                  • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                  • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 884 5445e1-5445ea call 54919f 887 5445ec-544617 call 548f68 GetCurrentThreadId SetWindowsHookExA call 5497bc 884->887 888 54463f 884->888 892 54461c-544622 887->892 893 544624-544629 call 54919f 892->893 894 54462f-54463e call 549727 892->894 893->894 894->888
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 005445F4
                  • SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 00544604
                    • Part of subcall function 005497BC: __EH_prolog.LIBCMT ref: 005497C1
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: CurrentH_prologHookThreadWindows
                  • String ID: V`H
                  • API String ID: 2183259885-1425837005
                  • Opcode ID: 7bdb4992812b9603d92ce55cf3757991eafd4ebacac900e4ddfae643f0de77b5
                  • Instruction ID: 6703cd5c35d67480fc66cfaacd7600fc8725dd8c5455f0883ca78f17e6e9ae7e
                  • Opcode Fuzzy Hash: 7bdb4992812b9603d92ce55cf3757991eafd4ebacac900e4ddfae643f0de77b5
                  • Instruction Fuzzy Hash: CAF03031980352BFCB643BB0AD0EBEA7E50BB42729F05165CB161AB5E1DE705C84DB51

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1259 4b0c30-4b0c3a 1260 4b0c4c-4b0c52 1259->1260 1261 4b0c3c-4b0c49 call 4b0d00 1259->1261 1262 4b0c5c-4b0c68 1260->1262 1263 4b0c54-4b0c59 1260->1263 1265 4b0c6a-4b0c70 1262->1265 1266 4b0cb6-4b0cbd 1262->1266 1265->1266 1268 4b0c72-4b0c78 1265->1268 1269 4b0cca-4b0cdf RtlAllocateHeap 1266->1269 1270 4b0cbf-4b0cc5 GetProcessHeap 1266->1270 1268->1266 1271 4b0c7a-4b0cb3 call 5138f0 1268->1271 1272 4b0ced-4b0cf6 1269->1272 1273 4b0ce1-4b0cea 1269->1273 1270->1269
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ca8975013be66042fb3ee7ceec211989a27087a098f950c7537636960121dd16
                  • Instruction ID: 2e6eb3e04c5d181b1ddf78a2676a29e2dcee82295116eba9147db19c910fd444
                  • Opcode Fuzzy Hash: ca8975013be66042fb3ee7ceec211989a27087a098f950c7537636960121dd16
                  • Instruction Fuzzy Hash: 8D211BB67007008FE724CF69D884A97B7E8EBA0356F10C92FE159C7651D775E805CB64

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1276 549ff0-54a01b SetErrorMode * 2 call 54919f * 2 1281 54a03c-54a046 call 54919f 1276->1281 1282 54a01d-54a037 call 54a053 1276->1282 1286 54a04d-54a050 1281->1286 1287 54a048 call 5445e1 1281->1287 1282->1281 1287->1286
                  APIs
                  • SetErrorMode.KERNEL32(00000000,00000000,00545895,00000000,00000000,00000000,00000000,?,00000000,?,0053D023,00000000,00000000,00000000,00000000,0052D788), ref: 00549FF9
                  • SetErrorMode.KERNEL32(00000000,?,00000000,?,0053D023,00000000,00000000,00000000,00000000,0052D788,00000000), ref: 0054A000
                    • Part of subcall function 0054A053: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A084
                    • Part of subcall function 0054A053: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A125
                    • Part of subcall function 0054A053: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A152
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                  • String ID:
                  • API String ID: 3389432936-0
                  • Opcode ID: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
                  • Instruction ID: c4c3ab3275c8eb14d5ae32abcb23d0482c2f86857849692c857bd89a7c3249ea
                  • Opcode Fuzzy Hash: f5cc11b3060c09880d13a835071dac1ff441f947291634e4d0d4758776c38180
                  • Instruction Fuzzy Hash: 82F08770A442129FCB14FF20C449B8A3FA4BF84310F01848AB4488B3A2CB70D840CB52
                  APIs
                  • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C3AA7
                  • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C3ACD
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: MessagePeek
                  • String ID:
                  • API String ID: 2222842502-0
                  • Opcode ID: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                  • Instruction ID: e12696abd107ecee3b6de49d5429ec05dbec5f9555e77b60db8d8df6ed79d70d
                  • Opcode Fuzzy Hash: d5d2506b950605fd47a43454618ffe8a54ad3c91368ebf1fb006fd2e3387a302
                  • Instruction Fuzzy Hash: B5F09B35740312BBFB20EBA48C06F5737586F84B01F54445AF741AB1D0E6B4F5058BA9
                  APIs
                  • HeapCreate.KERNEL32(00000000,00001000,00000000,0052D706,00000001), ref: 00533739
                    • Part of subcall function 005335E0: GetVersionExA.KERNEL32 ref: 005335FF
                  • HeapDestroy.KERNEL32 ref: 00533778
                    • Part of subcall function 00536FF5: HeapAlloc.KERNEL32(00000000,00000140,00533761,000003F8), ref: 00537002
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Heap$AllocCreateDestroyVersion
                  • String ID:
                  • API String ID: 2507506473-0
                  • Opcode ID: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
                  • Instruction ID: 299e96f16654292e717742aaca72f32221ee5cbc430f404e8471a118c5d38c14
                  • Opcode Fuzzy Hash: a74c570746986a0d0ea47059bd758b4a4c67e8f0631b46f34643c4d50467435d
                  • Instruction Fuzzy Hash: 23F06DF0A54302AAEB306B74AD5A7792F90FB90B82F20883AF400C90F4EA608781D651
                  APIs
                  • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                  • RtlFreeHeap.NTDLL(00B00000,00000000,00000000), ref: 10027C80
                    • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: FreeHandleHeapModuleRead
                  • String ID:
                  • API String ID: 627478288-0
                  • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                  • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                  • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                  • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F0CC
                    • Part of subcall function 00535DE4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 00535E21
                    • Part of subcall function 00535DE4: EnterCriticalSection.KERNEL32(?,?,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 00535E3C
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: CriticalSection$AllocateEnterHeapInitialize
                  • String ID:
                  • API String ID: 1616793339-0
                  • Opcode ID: 5ecf1b54963c016b0c85aac6aed190ffb886ae195f8cb63037d802d6b0ecda44
                  • Instruction ID: db2fee421973880d84c7cdcddfe3e6a2e3f7ef9d9045ce6f5b3cde708dec6291
                  • Opcode Fuzzy Hash: 5ecf1b54963c016b0c85aac6aed190ffb886ae195f8cb63037d802d6b0ecda44
                  • Instruction Fuzzy Hash: C2217132A00225ABDB20EB65FD4ABAD7F74FF01720F144535F512EB1C2D77499418B94
                  APIs
                  • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074), ref: 0052EF92
                    • Part of subcall function 00535DE4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 00535E21
                    • Part of subcall function 00535DE4: EnterCriticalSection.KERNEL32(?,?,?,0052FEFC,00000009,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 00535E3C
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterFreeHeapInitialize
                  • String ID:
                  • API String ID: 641406236-0
                  • Opcode ID: 6f2368d0bb27c775a05c4f216ad3a2ab4d8473f09d67f72acea001f58ce6d957
                  • Instruction ID: 565555db2da22e1ed14eccdc1ab700e75b48eeefff4ebff80a849c763760e29c
                  • Opcode Fuzzy Hash: 6f2368d0bb27c775a05c4f216ad3a2ab4d8473f09d67f72acea001f58ce6d957
                  • Instruction Fuzzy Hash: CA219272D0561AABDF25DB94ED0BBAE7F78FF06720F240629F414B61C0D7349940CAA1
                  APIs
                  • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: InitializeThunk
                  • String ID:
                  • API String ID: 2994545307-0
                  • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                  • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                  • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                  • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                  APIs
                  • LoadStringA.USER32(?,?,?,?), ref: 00545168
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: LoadString
                  • String ID:
                  • API String ID: 2948472770-0
                  • Opcode ID: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
                  • Instruction ID: 08fb04d2d79f514444bb58c00174978d5c860b2d23caccf5b1b06e8bd03619f6
                  • Opcode Fuzzy Hash: e00ba2af5c0ab2ebee51c7ba3a58208dc53a8c205b24856cabd4796f089c07ce
                  • Instruction Fuzzy Hash: 94D0A772108363ABC711DF608808DCFBFA8BF54310B050C0DF48843111D320C804CB61
                  APIs
                  • ShowWindow.USER32(?,?,004C05FC,00000000), ref: 00543C48
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: ShowWindow
                  • String ID:
                  • API String ID: 1268545403-0
                  • Opcode ID: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                  • Instruction ID: f777d452e94a7aa5c769602382ac00d8f3328d29531e7a0e4ff5638ee9210a33
                  • Opcode Fuzzy Hash: ffc18a60ec64a25ffe576df6f9df42f32a41d4df3b93da3696965e1d8b0a479c
                  • Instruction Fuzzy Hash: 08D0C931304210EFCF058F60CA88A5ABBB2BF94709F209968F54AEA175D732DD12FB41
                  APIs
                  • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: DeleteFile
                  • String ID:
                  • API String ID: 4033686569-0
                  • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                  • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                  • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                  • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                  APIs
                  • IsIconic.USER32(?), ref: 004CBF7C
                  • IsZoomed.USER32(?), ref: 004CBF8A
                  • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CBFB4
                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CBFC7
                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CBFD5
                  • FreeLibrary.KERNEL32(00000000), ref: 004CC00B
                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CC021
                  • IsWindow.USER32(?), ref: 004CC04E
                  • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC05B
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                  • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                  • API String ID: 447426925-661446951
                  • Opcode ID: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
                  • Instruction ID: 3cf2cf9bae796266a4a17546086da5d32a5959a1fc1a250dd2576f727e63055a
                  • Opcode Fuzzy Hash: 8b34f5fbba60183606cc67ad269d2bff897997b10f0a45e32e74d7b78f754ff6
                  • Instruction Fuzzy Hash: 73318275700302AFDB109FA5CC99F2B77A8EF94B45F04441DFA05A7290DB78DC098B65
                  APIs
                  • GetCurrentThreadId.KERNEL32 ref: 004C4BA5
                  • IsWindow.USER32(000204DC), ref: 004C4BC1
                  • SendMessageA.USER32(000204DC,000083E7,?,00000000), ref: 004C4BDA
                  • ExitProcess.KERNEL32 ref: 004C4BEF
                  • FreeLibrary.KERNEL32(?), ref: 004C4CD3
                  • FreeLibrary.KERNEL32 ref: 004C4D27
                  • DestroyIcon.USER32(00000000), ref: 004C4D77
                  • DestroyIcon.USER32(00000000), ref: 004C4D8E
                  • IsWindow.USER32(000204DC), ref: 004C4DA5
                  • DestroyIcon.USER32(?,00000001,00000000,000000FF), ref: 004C4E54
                  • WSACleanup.WS2_32 ref: 004C4E9F
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
                  • String ID:
                  • API String ID: 3816745216-0
                  • Opcode ID: 25edd08f1e9c690ea24ebfe1139d1032976e66bea48292edacc3f9f9a8627384
                  • Instruction ID: 4abd550a67737e399eee1ccdead647fb92e3e054953a74e19813a7668393c190
                  • Opcode Fuzzy Hash: 25edd08f1e9c690ea24ebfe1139d1032976e66bea48292edacc3f9f9a8627384
                  • Instruction Fuzzy Hash: 5FB19A786007029BC764DF65CAE5FABB7E5BF88301F00492EE5AA87391DB34B941CB54
                  APIs
                  • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: FileUnmapView
                  • String ID:
                  • API String ID: 2564024751-0
                  • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                  • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                  • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                  • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                  APIs
                  • GetDC.USER32(00000000), ref: 1001A976
                  • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                  • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                  • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: ObjectSelect$Release
                  • String ID:
                  • API String ID: 3581861777-0
                  • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                  • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                  • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                  • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                  APIs
                  • GetWindow.USER32(?,00000005), ref: 1001A773
                  • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                  • GetWindow.USER32(00000000,00000002), ref: 1001A872
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: Window$ProcessThreadVisible
                  • String ID:
                  • API String ID: 569392824-0
                  • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                  • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                  • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                  • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                  APIs
                  • GetFocus.USER32 ref: 004C3B7F
                  • GetWindowRect.USER32(?,?), ref: 004C3BD6
                  • GetParent.USER32(?), ref: 004C3BE6
                  • GetParent.USER32(?), ref: 004C3C19
                  • GlobalSize.KERNEL32(00000000), ref: 004C3C63
                  • GlobalLock.KERNEL32(00000000), ref: 004C3C6B
                  • IsWindow.USER32(?), ref: 004C3C84
                  • GetTopWindow.USER32(?), ref: 004C3CC1
                  • GetWindow.USER32(00000000,00000002), ref: 004C3CDA
                  • SetParent.USER32(?,?), ref: 004C3D06
                  • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C3D51
                  • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C3D60
                  • GetParent.USER32(?), ref: 004C3D73
                  • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C3D8C
                  • GetWindowLongA.USER32(?,000000F0), ref: 004C3D94
                  • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C3DC4
                  • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C3DD2
                  • IsWindow.USER32(?), ref: 004C3E1E
                  • GetFocus.USER32 ref: 004C3E28
                  • SetFocus.USER32(?,00000000), ref: 004C3E40
                  • GlobalUnlock.KERNEL32(00000000), ref: 004C3E4B
                  • GlobalFree.KERNEL32(00000000), ref: 004C3E52
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
                  • String ID:
                  • API String ID: 300820980-0
                  • Opcode ID: c7ee5849a53f2b720b434fb20ee73ce415a09fc5efd5512a2ca60ec435b943ad
                  • Instruction ID: fc7bb721d02177b4388cf4223777b3b17238a714f8787edda964ef02e8b708dd
                  • Opcode Fuzzy Hash: c7ee5849a53f2b720b434fb20ee73ce415a09fc5efd5512a2ca60ec435b943ad
                  • Instruction Fuzzy Hash: C1A18A75204701AFD760EF65CC88F6BB7E8BB88701F108A1DFA4297391DB78E9058B65
                  APIs
                  • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                  • strrchr.MSVCRT ref: 10028EC7
                  • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                  • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                  • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                  • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                  • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                  • String ID: PXu Xu
                  • API String ID: 1380196384-815181985
                  • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                  • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                  • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                  • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                  APIs
                  • LoadLibraryA.KERNEL32(?,00000001,?,00000001,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C4854
                  • LoadLibraryA.KERNEL32(?,00000001,00000000,00000001,?,?,007D9D3C,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C4891
                  • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 004C48C7
                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C48D2
                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C48E0
                  • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004C49ED
                  • RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004C4A22
                  • CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,007F9E08,00000000), ref: 004C4AE7
                  • UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 004C4B03
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Library$LoadType$FreeRegister$AddressFromProcString
                  • String ID: DllRegisterServer$DllUnregisterServer
                  • API String ID: 2476498075-2931954178
                  • Opcode ID: bb99048f6588ca265a681c3f029e97578926fe6b9d4ebac5c6359c26a1f8ea40
                  • Instruction ID: 3d50727202a0988adf1641a3052eea74cd31356e871d0e85d78553229f022720
                  • Opcode Fuzzy Hash: bb99048f6588ca265a681c3f029e97578926fe6b9d4ebac5c6359c26a1f8ea40
                  • Instruction Fuzzy Hash: 68B1E1B590024AABDB14EBA4C955FEFB7B8FF84314F10452DF815A7281DB38AA05CB64
                  APIs
                  • GetModuleHandleA.KERNEL32(?), ref: 10029652
                  • LoadLibraryA.KERNEL32(?), ref: 1002965F
                  • wsprintfA.USER32 ref: 10029676
                  • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                    • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                  • atoi.MSVCRT(?), ref: 100296CB
                  • strchr.MSVCRT ref: 10029703
                  • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                  • wsprintfA.USER32 ref: 10029739
                  • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                  • String ID: DLL ERROR
                  • API String ID: 3187504500-4092134112
                  • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                  • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                  • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                  • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                  APIs
                  • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,005338E2,?,Microsoft Visual C++ Runtime Library,00012010,?,007C9F0C,?,007C9F5C,?,?,?,Runtime Error!Program: ), ref: 0053AF77
                  • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053AF8F
                  • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053AFA0
                  • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053AFAD
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                  • API String ID: 2238633743-4044615076
                  • Opcode ID: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
                  • Instruction ID: 8ce400e891b46900516e592ea20b3ca7731360952b72417fda11ff3b67056745
                  • Opcode Fuzzy Hash: 604af9be48b74d6b37cba5a06dcc955a4dab07b5c7217c3233dd45b2da2f4d19
                  • Instruction Fuzzy Hash: 5A0171B5604307BF87219FB5AC88DAB7FA8BB58742B04452DF186C2161DB78C852DB62
                  APIs
                  • LCMapStringW.KERNEL32(00000000,00000100,007CA19C,00000001,00000000,00000000,7612EB00,0082CD44,?,?,?,0052F45D,?,?,?,00000000), ref: 00536D26
                  • LCMapStringA.KERNEL32(00000000,00000100,007CA198,00000001,00000000,00000000,?,?,0052F45D,?,?,?,00000000,00000001), ref: 00536D42
                  • LCMapStringA.KERNEL32(?,?,?,0052F45D,?,?,7612EB00,0082CD44,?,?,?,0052F45D,?,?,?,00000000), ref: 00536D8B
                  • MultiByteToWideChar.KERNEL32(?,0082CD45,?,0052F45D,00000000,00000000,7612EB00,0082CD44,?,?,?,0052F45D,?,?,?,00000000), ref: 00536DC3
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052F45D,?,00000000,?,?,0052F45D,?), ref: 00536E1B
                  • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052F45D,?), ref: 00536E31
                  • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052F45D,?), ref: 00536E64
                  • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052F45D,?), ref: 00536ECC
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: String$ByteCharMultiWide
                  • String ID:
                  • API String ID: 352835431-0
                  • Opcode ID: a62989f843dae0eee73ebe14d05cf88c23a3d1390bc74e56813a25bc62fc5ade
                  • Instruction ID: 62d27cf0bc35d009cabd036e404282ac43bfe0e3b8ec01c5f0ff21bbeb09715c
                  • Opcode Fuzzy Hash: a62989f843dae0eee73ebe14d05cf88c23a3d1390bc74e56813a25bc62fc5ade
                  • Instruction Fuzzy Hash: 80515736900249BFCF228F94CC45EAF7FB9FB89754F248519F915A21A0D3328D64EB61
                  APIs
                  • CreatePopupMenu.USER32 ref: 004D11FE
                  • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1361
                  • AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D1399
                  • ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D13B7
                  • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1415
                  • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D143A
                  • AppendMenuA.USER32(?,?,?,?), ref: 004D1482
                  • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D14A7
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Menu$Append$Modify$CreatePopup
                  • String ID:
                  • API String ID: 3846898120-0
                  • Opcode ID: dfc1b30d91d85771c549fc8821bb69808352ab095a4db625c62500b608ca5f67
                  • Instruction ID: 3ca3c5f11a18d0389df6de3abe5525e56d9e18b861f02da71327df2c29421f20
                  • Opcode Fuzzy Hash: dfc1b30d91d85771c549fc8821bb69808352ab095a4db625c62500b608ca5f67
                  • Instruction Fuzzy Hash: 32D187B1A04301ABC714DF18C994A6BBBE4FF89754F04452EFD8993361E738AC01CBA6
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0053382B
                  • GetStdHandle.KERNEL32(000000F4,007C9F0C,00000000,00000000,00000000,?), ref: 00533901
                  • WriteFile.KERNEL32(00000000), ref: 00533908
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: File$HandleModuleNameWrite
                  • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                  • API String ID: 3784150691-4022980321
                  • Opcode ID: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
                  • Instruction ID: dccbd82ec216db72bf6106e4e92fe67ae9731e447ae98fb0bfc7402f44beb726
                  • Opcode Fuzzy Hash: 39f9735ca91d60f41570321e6ef46a0dab1f2a023fb08d5050bddd71bcc139b6
                  • Instruction Fuzzy Hash: D131E7B2A01219BFDF24EA60CD4AF9A7B6CFF89340F10045EF545E6091D6B4EB44CB62
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID: %I64d$%lf
                  • API String ID: 0-1545097854
                  • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                  • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                  • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                  • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                  APIs
                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D73E), ref: 00533212
                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D73E), ref: 00533226
                  • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052D73E), ref: 00533252
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D73E), ref: 0053328A
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052D73E), ref: 005332AC
                  • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052D73E), ref: 005332C5
                  • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052D73E), ref: 005332D8
                  • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00533316
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                  • String ID:
                  • API String ID: 1823725401-0
                  • Opcode ID: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
                  • Instruction ID: 22a0b6d07de66a25bb08c78f01f21aa964455fc57e5aec8a23ca5d53435c3ca0
                  • Opcode Fuzzy Hash: 2dc31ee5f9dde6b73461f66eda9cec09d5fece40f736755a31cb8567cf034021
                  • Instruction Fuzzy Hash: 353106765082256FDB307F78AC8883BBFDCFB45318F250C29F542C3150EA218E848261
                  APIs
                  • IsWindow.USER32(?), ref: 004C031D
                  • GetParent.USER32(?), ref: 004C032F
                  • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C0357
                  • GetWindowRect.USER32(?,?), ref: 004C03E1
                  • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0404
                  • GetWindowRect.USER32(?,?), ref: 004C05CC
                  • InvalidateRect.USER32(?,?,00000001,?), ref: 004C05ED
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Rect$Window$Invalidate$MessageParentSend
                  • String ID:
                  • API String ID: 236041146-0
                  • Opcode ID: 1905557a3942eebccb37f757c4b203deab9c8b6e52ba5a1d26c9cb08863c26b6
                  • Instruction ID: ac0a85db4d11be9608977db859099771bab4360afac4b41f39c215cbcd98b5fc
                  • Opcode Fuzzy Hash: 1905557a3942eebccb37f757c4b203deab9c8b6e52ba5a1d26c9cb08863c26b6
                  • Instruction Fuzzy Hash: 6591E235600306ABCB24EF25C850F6B77E8AF84358F04051EFD459B392EB38ED058BA9
                  APIs
                  • GetStringTypeW.KERNEL32(00000001,007CA19C,00000001,?,7612EB00,0082CD44,?,?,0052F45D,?,?,?,00000000,00000001), ref: 0053A4F7
                  • GetStringTypeA.KERNEL32(00000000,00000001,007CA198,00000001,?,?,0052F45D,?,?,?,00000000,00000001), ref: 0053A511
                  • GetStringTypeA.KERNEL32(?,?,?,?,0052F45D,7612EB00,0082CD44,?,?,0052F45D,?,?,?,00000000,00000001), ref: 0053A545
                  • MultiByteToWideChar.KERNEL32(?,0082CD45,?,?,00000000,00000000,7612EB00,0082CD44,?,?,0052F45D,?,?,?,00000000,00000001), ref: 0053A57D
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052F45D,?), ref: 0053A5D3
                  • GetStringTypeW.KERNEL32(?,?,00000000,0052F45D,?,?,?,?,?,?,0052F45D,?), ref: 0053A5E5
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: StringType$ByteCharMultiWide
                  • String ID:
                  • API String ID: 3852931651-0
                  • Opcode ID: 778a831c9195a2c82a90abd30393a424486b55d1d058fbafc39a92695c8fe71b
                  • Instruction ID: 3ee85cd20f279303354b436b1faedb705bf07419141bb19f4d1a8418e2e57a4f
                  • Opcode Fuzzy Hash: 778a831c9195a2c82a90abd30393a424486b55d1d058fbafc39a92695c8fe71b
                  • Instruction Fuzzy Hash: 3141A972A00219AFCF218F94DC86EEE3F78FB08791F104929F952E2190D3318951DBA2
                  APIs
                  • TlsGetValue.KERNEL32(00828A84,00828A74,00000000,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 0054953A
                  • EnterCriticalSection.KERNEL32(00828AA0,00000010,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 00549589
                  • LeaveCriticalSection.KERNEL32(00828AA0,00000000,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 0054959C
                  • LocalAlloc.KERNEL32(00000000,00000004,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 005495B2
                  • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00828A84,?,00549797,00828A74,00000000,?,00000000,005491AE,00548A9D,005491CA,005445D1,00545876), ref: 005495C4
                  • TlsSetValue.KERNEL32(00828A84,00000000), ref: 00549600
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: AllocCriticalLocalSectionValue$EnterLeave
                  • String ID:
                  • API String ID: 4117633390-0
                  • Opcode ID: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
                  • Instruction ID: 1dfd17241d9b74a9ea21ef7d62a506bbf7920c7c5027f701114031e5ea0d7904
                  • Opcode Fuzzy Hash: 09c08a3a4eb80fab8db2f2d42db08bcd85555a3e9850e7eec76cd9f337a95e60
                  • Instruction Fuzzy Hash: E5317C75200605EFD724CF25D89AFABBBE8FF85355F108618E41AC7690EB70E909CB61
                  APIs
                  • GetVersionExA.KERNEL32 ref: 005335FF
                  • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00533634
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00533694
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: EnvironmentFileModuleNameVariableVersion
                  • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                  • API String ID: 1385375860-4131005785
                  • Opcode ID: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
                  • Instruction ID: 8d8fe35a3f561c8bdfd68c82a0d0c75c9543b8309f19672070abd76986aacb94
                  • Opcode Fuzzy Hash: b607b6ef8efe049945f403024f125693ff9173641362d9219b2631418e714a53
                  • Instruction Fuzzy Hash: 343139B29012587DEB318774AC97BDD3F68FB06744F2404E9D186D6282E7318F8ACB21
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A084
                    • Part of subcall function 0054A170: lstrlenA.KERNEL32(00000104,00000000,?,0054A0B4), ref: 0054A1A7
                  • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A125
                  • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A152
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: FileModuleNamelstrcatlstrcpylstrlen
                  • String ID: .HLP$.INI
                  • API String ID: 2421895198-3011182340
                  • Opcode ID: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
                  • Instruction ID: a9dc07c076400831da6a35d7c078f8e785966e9e89b5199b190b2d969ee069b6
                  • Opcode Fuzzy Hash: fb49887c37ddf0ed12a10b4492493638add2dc4591c4057a0a5c557e31854f7d
                  • Instruction Fuzzy Hash: 433190B5944719AFDB61DB74C889BC6BBFCFB04304F10486AE189D3151DB70AAC4CB20
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 867b56ae746394e622a6e5f218455718b4c2070060540e40bb1b6c2cf6ffa003
                  • Instruction ID: 38f320e7d0dd5d3c10ff9a8856fdc1e726634fb233e6aa16a00ef23ca8d0b178
                  • Opcode Fuzzy Hash: 867b56ae746394e622a6e5f218455718b4c2070060540e40bb1b6c2cf6ffa003
                  • Instruction Fuzzy Hash: 06C1E175504602AFC720DF24D881E6FB7E9EFC4348F44492EF84687251E738F9068BAA
                  APIs
                  • GetStartupInfoA.KERNEL32(?), ref: 00533387
                  • GetFileType.KERNEL32(?,?,00000000), ref: 00533432
                  • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00533495
                  • GetFileType.KERNEL32(00000000,?,00000000), ref: 005334A3
                  • SetHandleCount.KERNEL32 ref: 005334DA
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: FileHandleType$CountInfoStartup
                  • String ID:
                  • API String ID: 1710529072-0
                  • Opcode ID: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
                  • Instruction ID: 74d8043a3635a37d838404ca7af4e086272a51abf8528f270160bf6162de0ae8
                  • Opcode Fuzzy Hash: d6e37824fc1fcd17a0ba4b0e5ba39c154400018abfcd94fd87971b40fcb334b9
                  • Instruction Fuzzy Hash: 3E5123319007118FCB22CB78D89CA297FA0BB11324F298B68D5A6CB2E1D770DA4AD751
                  APIs
                  • midiStreamStop.WINMM(?,00000000,-000001A5,00000000,004D606A,00000000,007F9E08,004CC246), ref: 004D6535
                  • midiOutReset.WINMM(?), ref: 004D6553
                  • WaitForSingleObject.KERNEL32(?,000007D0), ref: 004D6576
                  • midiStreamClose.WINMM(?), ref: 004D65B3
                  • midiStreamClose.WINMM(?), ref: 004D65E7
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: midi$Stream$Close$ObjectResetSingleStopWait
                  • String ID:
                  • API String ID: 3142198506-0
                  • Opcode ID: 3c4d720d9cfef02ab93a990280a3187c80fd643b3b50966c0ec4732648aa1d48
                  • Instruction ID: 988a0fd31b17a728300f61c758b8637965478bc9c3ef666f4b3ba2d9c4353007
                  • Opcode Fuzzy Hash: 3c4d720d9cfef02ab93a990280a3187c80fd643b3b50966c0ec4732648aa1d48
                  • Instruction Fuzzy Hash: 3F316FB22007019BCB30DFA9F4A451BB7E5FB94301B114A3FE186C6744C738E885CB98
                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Menu$Destroy$AcceleratorTableWindow
                  • String ID:
                  • API String ID: 1240299919-0
                  • Opcode ID: a453dbb0a03fb2ba0bf42701061a99a4b7668b13f71f9c2a0d727f225ddbe076
                  • Instruction ID: 36554a1229bff95b9c7ebfcce784b7310ff20c92f243050c45fa7fd8810c52a4
                  • Opcode Fuzzy Hash: a453dbb0a03fb2ba0bf42701061a99a4b7668b13f71f9c2a0d727f225ddbe076
                  • Instruction Fuzzy Hash: 7031D875600302AFC720EF65DC44D6B77A9EF85354F06851DFD0597252EA38E809CBB4
                  APIs
                  • GetLastError.KERNEL32(00000103,7FFFFFFF,0052FA52,00532367,00000000,?,?,00000000,00000001), ref: 0053354E
                  • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 0053355C
                  • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 005335A8
                    • Part of subcall function 0052FE46: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00533571,00000001,00000074,?,?,00000000,00000001), ref: 0052FF3C
                  • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533580
                  • GetCurrentThreadId.KERNEL32 ref: 00533591
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: ErrorLastValue$AllocCurrentHeapThread
                  • String ID:
                  • API String ID: 2020098873-0
                  • Opcode ID: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
                  • Instruction ID: 0e7a58b62c948d371e5ff3c271ec59c60880ea6736e985566ebb1825fd8c354e
                  • Opcode Fuzzy Hash: bc7cd2e637902eaac407db08a1f109314cb19395c12542a2cb2172fe85cf5b20
                  • Instruction Fuzzy Hash: 43F0F0325017326FC3222BB0FC0D6193FA4FF55772F100228F985D61E0DF248A41AAA1
                  APIs
                  • wsprintfA.USER32 ref: 10027B78
                  • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: Messagewsprintf
                  • String ID: error$program internal error number is %d. %s
                  • API String ID: 300413163-3752934751
                  • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                  • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                  • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                  • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                  APIs
                  • HeapAlloc.KERNEL32(00000000,00002020,007EADD0,007EADD0,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000), ref: 00537B5D
                  • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000), ref: 00537B81
                  • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000), ref: 00537B9B
                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000,?), ref: 00537C5C
                  • HeapFree.KERNEL32(00000000,00000000,?,?,00538008,00000000,00000010,00000000,00000009,00000009,?,0052F091,00000010,00000000,?,00000000), ref: 00537C73
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: AllocVirtual$FreeHeap
                  • String ID:
                  • API String ID: 714016831-0
                  • Opcode ID: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
                  • Instruction ID: 6a35e3bd04af06b030779d51ca545ccf687a38575416704342aa595f65feab3d
                  • Opcode Fuzzy Hash: be17aa462f055b61432a0e776fc9fac0b8f745695e918528d87bf5a2ab635a17
                  • Instruction Fuzzy Hash: 833102B0A4570EAFD331CF24EC85B21BBE0FB48762F118639E1559B6D0E774A800DB49
                  APIs
                  • midiStreamOpen.WINMM(-00000189,-00000161,00000001,004D74A0,-000001A5,00030000,?,-000001A5,?,00000000), ref: 004D6E8B
                  • midiStreamProperty.WINMM ref: 004D6F72
                  • midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,-000001A5,?,00000000), ref: 004D70C0
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: midi$Stream$HeaderOpenPrepareProperty
                  • String ID:
                  • API String ID: 2061886437-0
                  • Opcode ID: 4076e3c4b64707c473674e55c22671dfc86078d403b6104fad3e7aada5d68b93
                  • Instruction ID: 63e6c9c4e2e3c0ff420810ebb7e5fd6224ef9a2c392ea44c9a747957adcafffb
                  • Opcode Fuzzy Hash: 4076e3c4b64707c473674e55c22671dfc86078d403b6104fad3e7aada5d68b93
                  • Instruction Fuzzy Hash: BBA17D752006058FD724DF28D8A4BAAB7F6FB88304F51492EE68AC7750EB35F919CB40
                  APIs
                  • IsWindow.USER32(00000000), ref: 004C2594
                  • GetParent.USER32(00000000), ref: 004C25E4
                  • IsWindow.USER32(?), ref: 004C2604
                  • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C267F
                    • Part of subcall function 00543C3A: ShowWindow.USER32(?,?,004C05FC,00000000), ref: 00543C48
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Window$ParentShow
                  • String ID:
                  • API String ID: 2052805569-0
                  • Opcode ID: 4d912f72f0b78821a8b226315d8a2e75bb1a573efdeaf9a9c98d1435f7f1b5b6
                  • Instruction ID: 2a871587bcb944ae5fb9d5229ba0dd85f121515a37cb47f0cc0f5f79347c90eb
                  • Opcode Fuzzy Hash: 4d912f72f0b78821a8b226315d8a2e75bb1a573efdeaf9a9c98d1435f7f1b5b6
                  • Instruction Fuzzy Hash: 6641CF75700301ABC760DE259D81FABB394AF84754F04052EFD059B381EBF8E9458BB9
                  APIs
                  • malloc.MSVCRT ref: 10029FB3
                  • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                  • free.MSVCRT ref: 10029FF6
                  • free.MSVCRT ref: 1002A014
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: free$Stringmalloc
                  • String ID:
                  • API String ID: 3576809655-0
                  • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                  • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                  • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                  • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                  APIs
                  • GetVersion.KERNEL32 ref: 0052D6CE
                    • Part of subcall function 00533728: HeapCreate.KERNEL32(00000000,00001000,00000000,0052D706,00000001), ref: 00533739
                    • Part of subcall function 00533728: HeapDestroy.KERNEL32 ref: 00533778
                  • GetCommandLineA.KERNEL32 ref: 0052D72E
                  • GetStartupInfoA.KERNEL32(?), ref: 0052D759
                  • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052D77C
                    • Part of subcall function 0052D7D5: ExitProcess.KERNEL32 ref: 0052D7F2
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                  • String ID:
                  • API String ID: 2057626494-0
                  • Opcode ID: 3acd95fcad5d93a50d5907e8ec44d4f690028c6676ad78365935eb6faaa2cdc4
                  • Instruction ID: 3547b1cf52275eb217c6ec59fb9c691c390ba2562cfeed95e4fa68c760d95463
                  • Opcode Fuzzy Hash: 3acd95fcad5d93a50d5907e8ec44d4f690028c6676ad78365935eb6faaa2cdc4
                  • Instruction Fuzzy Hash: B421BFB1800716AFDB18AFB4EC4AB6E7FB8FF85B10F144519F8019A2D1DB788841DB60
                  APIs
                  • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                  • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                  • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                  • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                  Memory Dump Source
                  • Source File: 00000004.00000002.2650373990.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_10000000_213.jbxd
                  Similarity
                  • API ID: CloseFileHandle$CreateWrite
                  • String ID:
                  • API String ID: 3602564925-0
                  • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                  • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                  • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                  • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                  APIs
                  • GetCPInfo.KERNEL32(?,00000000), ref: 005328B3
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: Info
                  • String ID: $
                  • API String ID: 1807457897-3032137957
                  • Opcode ID: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
                  • Instruction ID: 0d80f1f921bbeecc0d851934b0f227089876febe5036028c6d85f1b562a0e34d
                  • Opcode Fuzzy Hash: 8c1aaf76b25d6f05240ea32e0cbc6f725ae848651f37e42dfbfab02a40d5dc74
                  • Instruction Fuzzy Hash: 9A4159321047586EDB229724DD59BFF7FA9FB05700F1404E5E689DB1A3C2B18984DBB2
                  APIs
                  • __EH_prolog.LIBCMT ref: 00545916
                    • Part of subcall function 0054527B: __EH_prolog.LIBCMT ref: 00545280
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: H_prolog
                  • String ID: V5 $x|
                  • API String ID: 3519838083-3630372689
                  • Opcode ID: 19b73d30a48ce6c5ee6d87ec05ae603fee767b029379fef4b886f0c0579fd1aa
                  • Instruction ID: 4dc0b2076bdff16775e983571f4649235ed723db5b6046283e933dc56bf7751b
                  • Opcode Fuzzy Hash: 19b73d30a48ce6c5ee6d87ec05ae603fee767b029379fef4b886f0c0579fd1aa
                  • Instruction Fuzzy Hash: B6F06871A44705EBDB28AF74844E7DD7FE0BB44728F10852EB506E75C2E6744A44CF54
                  APIs
                  • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00537462,00000000,00000000,00000000,0052F033,00000000,00000000,?,00000000,00000000,00000000), ref: 005376C2
                  • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00537462,00000000,00000000,00000000,0052F033,00000000,00000000,?,00000000,00000000,00000000), ref: 005376F6
                  • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00537710
                  • HeapFree.KERNEL32(00000000,?), ref: 00537727
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: AllocHeap$FreeVirtual
                  • String ID:
                  • API String ID: 3499195154-0
                  • Opcode ID: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
                  • Instruction ID: d88f095256ebd2bc95c4d204e3da2443ea4a3c9ea0d84491109f27dd9d04d5e1
                  • Opcode Fuzzy Hash: 08594dd17b18ef06082ac5740638665e31d113129a95d4f8ea61ba918e90c519
                  • Instruction Fuzzy Hash: D0114C70640741AFD7308F59EC8593A7FB6FF987A1B208A29F162D65B0C371A846DF80
                  APIs
                  • EnterCriticalSection.KERNEL32(00828C38,?,00000000,?,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA), ref: 0054A4A7
                  • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA), ref: 0054A4B9
                  • LeaveCriticalSection.KERNEL32(00828C38,?,00000000,?,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA), ref: 0054A4C2
                  • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA,005445D1), ref: 0054A4D4
                    • Part of subcall function 0054A3D9: GetVersion.KERNEL32(?,0054A47C,?,005497DD,00000010,?,00000000,?,?,?,005491C4,00549227,00548A9D,005491CA,005445D1,00545876), ref: 0054A3EC
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: CriticalSection$Enter$InitializeLeaveVersion
                  • String ID:
                  • API String ID: 1193629340-0
                  • Opcode ID: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
                  • Instruction ID: ef337a9b0004c7b2ad7d994ae533547e4aec21f7b429ef6062c26defdd8381b8
                  • Opcode Fuzzy Hash: eeb8bb5024f9acf617f97ddcae4ce853d8abeed9d9bbde64eb01bfc1e8be555a
                  • Instruction Fuzzy Hash: ECF0A43504231ADFCF60DF54EC98996B76CFB3031AB00442AE24583061DB34A45BDAA1
                  APIs
                  • InitializeCriticalSection.KERNEL32(?,005334EB,?,0052D718), ref: 00535DC8
                  • InitializeCriticalSection.KERNEL32(?,005334EB,?,0052D718), ref: 00535DD0
                  • InitializeCriticalSection.KERNEL32(?,005334EB,?,0052D718), ref: 00535DD8
                  • InitializeCriticalSection.KERNEL32(?,005334EB,?,0052D718), ref: 00535DE0
                  Memory Dump Source
                  • Source File: 00000004.00000002.2644226836.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.2644164015.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.0000000000550000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000006BB000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2644856733.00000000007B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645869264.00000000007D6000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645891406.00000000007D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645953143.00000000007DA000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2645986093.00000000007E3000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646044674.00000000007E4000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646105732.00000000007E9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646202903.00000000007EC000.00000008.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007ED000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.00000000007F9000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000807000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.0000000000827000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646254500.000000000082C000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.000000000082F000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000837000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000929000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000004.00000002.2646621865.0000000000932000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_213.jbxd
                  Similarity
                  • API ID: CriticalInitializeSection
                  • String ID:
                  • API String ID: 32694325-0
                  • Opcode ID: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
                  • Instruction ID: f09b7e46a3944a21f6efb323c7c42375265d9e7b4a21461fe96da00fa37f67c0
                  • Opcode Fuzzy Hash: b47d094a598671442320a0e7a37f87d8b3c70ec60b0162c471f1b67a473be826
                  • Instruction Fuzzy Hash: 71C002719021B4FBCA512B55FE89C463F67EB1C261301C077A1045D470862E2C50EFD6