Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
208.exe

Overview

General Information

Sample name:208.exe
Analysis ID:1559174
MD5:1303d1bb003a5cdbfba7b1628760171b
SHA1:d82b0078d33249ed5301140cc50328f4095bd822
SHA256:fc29d31a9f14f38b2bff9a3902d49d74cf52abe54548edbed4987abd9c5104b2
Tags:exeopendiruser-Joker
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found evasive API chain (may stop execution after checking mutex)
Machine Learning detection for dropped file
Machine Learning detection for sample
Renames NTDLL to bypass HIPS
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Enables debug privileges
Enables driver privileges
Enables security privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

  • System is w10x64
  • 208.exe (PID: 7496 cmdline: "C:\Users\user\Desktop\208.exe" MD5: 1303D1BB003A5CDBFBA7B1628760171B)
  • 208.exe (PID: 8040 cmdline: "C:\Users\user\Desktop\208.exe" MD5: 1303D1BB003A5CDBFBA7B1628760171B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: 208.exe PID: 7496JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    Process Memory Space: 208.exe PID: 8040JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\208.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\208.exe, ProcessId: 7496, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: C:\Users\user\Desktop\QQWER.dllReversingLabs: Detection: 73%
      Source: 208.exeReversingLabs: Detection: 47%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.3% probability
      Source: C:\Users\user\Desktop\QQWER.dllJoe Sandbox ML: detected
      Source: 208.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\208.exeUnpacked PE file: 0.2.208.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\208.exeUnpacked PE file: 6.2.208.exe.10000000.2.unpack
      Source: 208.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: Binary string: devco n.pdbo source: 208.exe
      Source: Binary string: wntdll.pdbUGP source: 208.exe, 00000000.00000003.1300427268.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2568921114.0000000002C2A000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000003.1475896137.0000000002A93000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2569243228.0000000002C45000.00000040.00000020.00020000.00000000.sdmp, 4c51f6.tmp.0.dr, 4c9652.tmp.6.dr
      Source: Binary string: wntdll.pdb source: 208.exe, 00000000.00000003.1300427268.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2568921114.0000000002C2A000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000003.1475896137.0000000002A93000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2569243228.0000000002C45000.00000040.00000020.00020000.00000000.sdmp, 4c51f6.tmp.0.dr, 4c9652.tmp.6.dr
      Source: Binary string: DrvInDM U.pdbe source: 208.exe
      Source: Binary string: wuser32.pdb source: 208.exe, 00000000.00000003.1301551771.0000000002A71000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2569393031.0000000002DD2000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2569630067.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000003.1477671896.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, 4c96fe.tmp.6.dr, 4c5264.tmp.0.dr
      Source: Binary string: devc@on.pdb source: 208.exe
      Source: Binary string: wuser32.pdbUGP source: 208.exe, 00000000.00000003.1301551771.0000000002A71000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2569393031.0000000002DD2000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2569630067.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000003.1477671896.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, 4c96fe.tmp.6.dr, 4c5264.tmp.0.dr
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1000710E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A199
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018AD3
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10018EEA
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_100193C2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10007FDD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10018801
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10017804
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013C18
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10011C1A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A031
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024C38
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001AC51
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006051
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001385A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10002461
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000F472
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001847E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022882
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10025484
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025484
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10006495
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10006C96
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10014096
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_100024AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FCB0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_100198CC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100188E1
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A4E7
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1000210D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1000B90D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10003116
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017D41
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FD4D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10001D56
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10025977
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10010199
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001419C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008DA3
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100111A7
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007DB8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_100151BD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_1001D1C4
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_100259D9
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100189E6
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000FDEA
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100101FB
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10014203
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1000B61E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp0_2_1001221F
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A236
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1001363D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001363D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008E40
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_10011653
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010255
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_10007E55
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp0_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FA6F
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10022A80
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10011E89
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1001A6C7
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp0_2_10017ECA
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10010AD6
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10008EDD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BADE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100246E4
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp0_2_100236FF
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000FF10
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008B27
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1001BB29
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_10015B34
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000833D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp0_2_10012B40
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_1000634E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B353
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10026356
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_1001DB5C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10017B68
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_10011772
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp0_2_10024781
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10024781
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp0_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp0_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp0_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp0_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp0_2_1000A7A2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100137A3
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000F7AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10008BC4
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10013FC8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_10007BCA
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp0_2_10005FDA
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_100253E7
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp0_2_1000B3F0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_1000710E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_1000710E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp6_2_1000710E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_1000710E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1001A199
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_10018AD3
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_10018AD3
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_10018EEA
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_100193C2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp6_2_100193C2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_10007FDD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_10018801
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_10017804
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_10011772
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10013C18
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_10011C1A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1001A031
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp6_2_10024C38
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_1001AC51
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_1001AC51
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_1001AC51
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10006051
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10006051
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001385A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_10002461
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_1000F472
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp6_2_1001847E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10022882
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp6_2_10025484
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp6_2_10025484
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_10006495
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10006C96
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_10014096
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_10014096
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_100024AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_100024AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_100024AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_100024AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1000FCB0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001A8BE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_100198CC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp6_2_100188E1
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001A4E7
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1000210D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1000210D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp6_2_1000B90D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10003116
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_10017D41
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_10017D41
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1000FD4D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp6_2_10001D56
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp6_2_10025977
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_10010199
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_1001419C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_1001419C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10008DA3
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp6_2_100111A7
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10007DB8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp6_2_100151BD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp6_2_100151BD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp6_2_100151BD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-28h], esp6_2_1001D1C4
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_1001D1C4
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp6_2_100259D9
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp6_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp6_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp6_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp6_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp6_2_100221E2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_100189E6
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_1000FDEA
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp6_2_100101FB
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp6_2_10014203
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001121A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_1000B61E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp6_2_1001221F
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-2Ch], esp6_2_1001221F
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001A236
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_1001363D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001363D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10008E40
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp6_2_10011653
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp6_2_10011653
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10010255
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10010255
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10007E55
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp6_2_10007E55
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-40h], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-3Ch], esp6_2_1000C655
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1000FA6F
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10022A80
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10011E89
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-50h], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_1002129C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1001A6C7
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-20h], esp6_2_10017ECA
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10010AD6
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10010AD6
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp6_2_10008EDD
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_1001BADE
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_100246E4
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0000008Ch], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-00000084h], esp6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp6_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1001A6F8
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp6_2_100236FF
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-08h], esp6_2_100236FF
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1000FF10
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10008B27
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_1001BB29
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_10015B34
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1000833D
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-34h], esp6_2_10012B40
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-04h], esp6_2_1000634E
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1000B353
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_10026356
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-54h], esp6_2_1001DB5C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_1001DB5C
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_10017B68
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_10011772
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-38h], esp6_2_10024781
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp6_2_10024781
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-14h], esp6_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-0Ch], esp6_2_1002378A
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-4Ch], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-58h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-44h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-48h], esp6_2_10014289
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-24h], esp6_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-1Ch], esp6_2_1001BFA0
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-18h], esp6_2_1000A7A2
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_100137A3
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_1000F7AC
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10008BC4
      Source: C:\Users\user\Desktop\208.exeCode function: 4x nop then cmp dword ptr [ebp-10h], esp6_2_10013FC8
      Source: Joe Sandbox ViewIP Address: 42.193.100.57 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: unknownTCP traffic detected without corresponding DNS query: 42.193.100.57
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)Host: 42.193.100.57Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:21:46 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Wed, 20 Nov 2024 08:22:03 GMTContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 76 3e 0d 0a 3c 64 69
      Source: 208.exeString found in binary or memory: http://.httpsset-cookie:;;
      Source: 208.exeString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/
      Source: 208.exe, 00000000.00000002.2567616480.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2567676900.0000000000D00000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2567676900.0000000000CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
      Source: 208.exe, 00000000.00000002.2567616480.0000000000B32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt&
      Source: 208.exe, 00000000.00000002.2567616480.0000000000B32000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt/
      Source: 208.exe, 00000006.00000002.2567676900.0000000000D00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtD
      Source: 208.exeString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt
      Source: 208.exeString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtC:
      Source: 208.exe, 00000000.00000002.2567616480.0000000000B14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtI
      Source: 208.exe, 00000000.00000002.2567616480.0000000000ACF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtK
      Source: 208.exe, 00000000.00000002.2567616480.0000000000AF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtQ
      Source: 208.exe, 00000006.00000002.2567676900.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtQL
      Source: 208.exe, 00000006.00000002.2567676900.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtY
      Source: 208.exe, 00000006.00000002.2567676900.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txteM
      Source: 208.exeString found in binary or memory: http://ocsp.t
      Source: 208.exeString found in binary or memory: http://sf.symc
      Source: 208.exeString found in binary or memory: http://ts-ocsp.ws.s
      Source: 208.exeString found in binary or memory: http://ts-ocsp.ws.symantec.
      Source: 208.exeString found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
      Source: 208.exeString found in binary or memory: https://User-Agent:Mozilla/4.0
      Source: 208.exeString found in binary or memory: https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1
      Source: 208.exeString found in binary or memory: https://ww(w.v
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: 208.exe, 00000000.00000002.2567616480.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_def52021-3
      Source: Yara matchFile source: Process Memory Space: 208.exe PID: 7496, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: 208.exe PID: 8040, type: MEMORYSTR
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_10007FDD NtClose,0_2_10007FDD
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_1001419C ReleaseMutex,NtClose,0_2_1001419C
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_1001221F NtClose,0_2_1001221F
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_10007FDD NtClose,6_2_10007FDD
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_1001419C ReleaseMutex,NtClose,6_2_1001419C
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_1001221F NtClose,6_2_1001221F
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_004C68D00_2_004C68D0
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_100026280_2_10002628
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_100032EA0_2_100032EA
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_004C68D06_2_004C68D0
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_100026286_2_10002628
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_100032EA6_2_100032EA
      Source: C:\Users\user\Desktop\208.exeProcess token adjusted: Load DriverJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess token adjusted: SecurityJump to behavior
      Source: C:\Users\user\Desktop\208.exeCode function: String function: 10029640 appears 130 times
      Source: 4c51f6.tmp.0.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 4c9652.tmp.6.drStatic PE information: Resource name: RT_MESSAGETABLE type: PDP-11 separate I&D executable not stripped
      Source: 4c9652.tmp.6.drStatic PE information: No import functions for PE file found
      Source: 4c51f6.tmp.0.drStatic PE information: No import functions for PE file found
      Source: 208.exe, 00000000.00000002.2568921114.0000000002D57000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 208.exe
      Source: 208.exe, 00000000.00000002.2569393031.0000000002E7A000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 208.exe
      Source: 208.exe, 00000000.00000003.1301551771.0000000002A71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 208.exe
      Source: 208.exe, 00000000.00000003.1300427268.0000000002B93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 208.exe
      Source: 208.exe, 00000006.00000002.2569243228.0000000002D72000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 208.exe
      Source: 208.exe, 00000006.00000003.1475896137.0000000002BB6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 208.exe
      Source: 208.exe, 00000006.00000002.2569630067.0000000002E9F000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 208.exe
      Source: 208.exe, 00000006.00000003.1477671896.0000000002A9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 208.exe
      Source: 208.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: QQWER.dll.0.drStatic PE information: Section: .rsrc ZLIB complexity 1.0002780183550337
      Source: 4c9652.tmp.6.drBinary string: \Device\IPT[
      Source: classification engineClassification label: mal84.evad.winEXE@2/10@0/1
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_004209CE GetDiskFreeSpaceExA,0_2_004209CE
      Source: C:\Users\user\Desktop\208.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeMutant created: NULL
      Source: C:\Users\user\Desktop\208.exeFile created: C:\Users\user~1\AppData\Local\Temp\4c51f6.tmpJump to behavior
      Source: 208.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\208.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 208.exeReversingLabs: Detection: 47%
      Source: unknownProcess created: C:\Users\user\Desktop\208.exe "C:\Users\user\Desktop\208.exe"
      Source: unknownProcess created: C:\Users\user\Desktop\208.exe "C:\Users\user\Desktop\208.exe"
      Source: C:\Users\user\Desktop\208.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\208.exeWindow detected: Number of UI elements: 23
      Source: 208.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: 208.exeStatic file information: File size 5218304 > 1048576
      Source: 208.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x150000
      Source: 208.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x284000
      Source: 208.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x10d000
      Source: Binary string: devco n.pdbo source: 208.exe
      Source: Binary string: wntdll.pdbUGP source: 208.exe, 00000000.00000003.1300427268.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2568921114.0000000002C2A000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000003.1475896137.0000000002A93000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2569243228.0000000002C45000.00000040.00000020.00020000.00000000.sdmp, 4c51f6.tmp.0.dr, 4c9652.tmp.6.dr
      Source: Binary string: wntdll.pdb source: 208.exe, 00000000.00000003.1300427268.0000000002A70000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2568921114.0000000002C2A000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000003.1475896137.0000000002A93000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2569243228.0000000002C45000.00000040.00000020.00020000.00000000.sdmp, 4c51f6.tmp.0.dr, 4c9652.tmp.6.dr
      Source: Binary string: DrvInDM U.pdbe source: 208.exe
      Source: Binary string: wuser32.pdb source: 208.exe, 00000000.00000003.1301551771.0000000002A71000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2569393031.0000000002DD2000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2569630067.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000003.1477671896.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, 4c96fe.tmp.6.dr, 4c5264.tmp.0.dr
      Source: Binary string: devc@on.pdb source: 208.exe
      Source: Binary string: wuser32.pdbUGP source: 208.exe, 00000000.00000003.1301551771.0000000002A71000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2569393031.0000000002DD2000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2569630067.0000000002DF7000.00000040.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000003.1477671896.0000000002A9A000.00000004.00000020.00020000.00000000.sdmp, 4c96fe.tmp.6.dr, 4c5264.tmp.0.dr

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\208.exeUnpacked PE file: 0.2.208.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\208.exeUnpacked PE file: 6.2.208.exe.10000000.2.unpack
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_004C4840 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C4840
      Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
      Source: QQWER.dll.0.drStatic PE information: section name: .Upack
      Source: 4c51f6.tmp.0.drStatic PE information: section name: RT
      Source: 4c51f6.tmp.0.drStatic PE information: section name: .mrdata
      Source: 4c51f6.tmp.0.drStatic PE information: section name: .00cfg
      Source: 4c5264.tmp.0.drStatic PE information: section name: .didat
      Source: 4c9652.tmp.6.drStatic PE information: section name: RT
      Source: 4c9652.tmp.6.drStatic PE information: section name: .mrdata
      Source: 4c9652.tmp.6.drStatic PE information: section name: .00cfg
      Source: 4c96fe.tmp.6.drStatic PE information: section name: .didat
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_0052F510 push eax; ret 0_2_0052F53E
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_00531784 push eax; ret 0_2_005317A2
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_1002C7F8 push edi; ret 0_2_1002C7FC
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_0052F510 push eax; ret 6_2_0052F53E
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_00531784 push eax; ret 6_2_005317A2
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_1002C7F8 push edi; ret 6_2_1002C7FC
      Source: QQWER.dll.0.drStatic PE information: section name: .rsrc entropy: 7.999713933191419
      Source: 4c51f6.tmp.0.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: 4c9652.tmp.6.drStatic PE information: section name: .text entropy: 6.844715065913507
      Source: C:\Users\user\Desktop\208.exeFile created: C:\Users\user\AppData\Local\Temp\4c51f6.tmpJump to dropped file
      Source: C:\Users\user\Desktop\208.exeFile created: C:\Users\user\AppData\Local\Temp\4c9652.tmpJump to dropped file
      Source: C:\Users\user\Desktop\208.exeFile created: C:\Users\user\AppData\Local\Temp\4c96fe.tmpJump to dropped file
      Source: C:\Users\user\Desktop\208.exeFile created: C:\Users\user\AppData\Local\Temp\4c5264.tmpJump to dropped file
      Source: C:\Users\user\Desktop\208.exeFile created: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\208.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\208.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_004CC7E0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,0_2_004CC7E0
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,0_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_004CC7E0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,6_2_004CC7E0
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_1001F2ED IsWindow,IsIconic,GetDCEx,GetDCEx,GetWindowInfo,GetWindowRect,CreateCompatibleDC,CreateDIBSection,SelectObject,CreateCompatibleDC,SelectObject,PrintWindow,BitBlt,BitBlt,BitBlt,SelectObject,GetDIBits,6_2_1001F2ED
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Users\user\Desktop\208.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-21553
      Source: C:\Users\user\Desktop\208.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeFile opened: C:\Windows\SysWOW64\ntdll.dllJump to behavior
      Source: C:\Users\user\Desktop\208.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4c51f6.tmpJump to dropped file
      Source: C:\Users\user\Desktop\208.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4c9652.tmpJump to dropped file
      Source: C:\Users\user\Desktop\208.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4c96fe.tmpJump to dropped file
      Source: C:\Users\user\Desktop\208.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\4c5264.tmpJump to dropped file
      Source: C:\Users\user\Desktop\208.exeDropped PE file which has not been started: C:\Users\user\Desktop\QQWER.dllJump to dropped file
      Source: C:\Users\user\Desktop\208.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\208.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_1000710E GetVersionExA,GetSystemInfo,RtlGetNtVersionNumbers,0_2_1000710E
      Source: 208.exe, 00000000.00000002.2567616480.0000000000B32000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2567676900.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000006.00000002.2567676900.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: 208.exe, 00000000.00000002.2567616480.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: C:\Users\user\Desktop\208.exeAPI call chain: ExitProcess graph end nodegraph_0-21667
      Source: C:\Users\user\Desktop\208.exeAPI call chain: ExitProcess graph end nodegraph_6-21751
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_10004B1B LdrInitializeThunk,0_2_10004B1B
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_004C4840 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,0_2_004C4840
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_1001A4C7 mov eax, dword ptr fs:[00000030h]0_2_1001A4C7
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_1000AE99 mov eax, dword ptr fs:[00000030h]0_2_1000AE99
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_1001A4C7 mov eax, dword ptr fs:[00000030h]6_2_1001A4C7
      Source: C:\Users\user\Desktop\208.exeCode function: 6_2_1000AE99 mov eax, dword ptr fs:[00000030h]6_2_1000AE99
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_10027BB0 GetProcessHeap,RtlAllocateHeap,MessageBoxA,0_2_10027BB0
      Source: C:\Users\user\Desktop\208.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\208.exeProcess token adjusted: DebugJump to behavior
      Source: 208.exeBinary or memory string: @TaskbarCreatedShell_TrayWndTrayNotifyWndSysPagerToolbarWindow32@@
      Source: 208.exeBinary or memory string: Shell_TrayWnd
      Source: 208.exe, 00000000.00000002.2567616480.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000003.1301551771.0000000002A71000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2569393031.0000000002DD2000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
      Source: 208.exe, 00000000.00000002.2567616480.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow%
      Source: 208.exe, 00000000.00000002.2567616480.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000003.1301551771.0000000002A71000.00000004.00000020.00020000.00000000.sdmp, 208.exe, 00000000.00000002.2569393031.0000000002DD2000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_10019EDC cpuid 0_2_10019EDC
      Source: C:\Users\user\Desktop\208.exeCode function: 0_2_00533E50 GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,0_2_00533E50
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
      Native API
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      1
      Masquerading
      11
      Input Capture
      111
      Security Software Discovery
      Remote Services1
      Screen Capture
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      LSASS Driver
      1
      Registry Run Keys / Startup Folder
      2
      Process Injection
      LSASS Memory1
      Process Discovery
      Remote Desktop Protocol11
      Input Capture
      3
      Ingress Tool Transfer
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading
      1
      LSASS Driver
      1
      Deobfuscate/Decode Files or Information
      Security Account Manager1
      Application Window Discovery
      SMB/Windows Admin Shares1
      Archive Collected Data
      2
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
      DLL Side-Loading
      4
      Obfuscated Files or Information
      NTDS15
      System Information Discovery
      Distributed Component Object ModelInput Capture12
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
      Software Packing
      LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      DLL Side-Loading
      Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      208.exe47%ReversingLabs
      208.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\Desktop\QQWER.dll100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\4c51f6.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\4c5264.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\4c9652.tmp0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\4c96fe.tmp0%ReversingLabs
      C:\Users\user\Desktop\QQWER.dll73%ReversingLabsWin32.Infostealer.OnlineGames
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://ocsp.t0%Avira URL Cloudsafe
      http://.httpsset-cookie:;;0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtK0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt/0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtQ0%Avira URL Cloudsafe
      http://sf.symc0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txteM0%Avira URL Cloudsafe
      http://ts-ocsp.ws.symantec.0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtI0%Avira URL Cloudsafe
      http://ts-ocsp.ws.s0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt&0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtC:0%Avira URL Cloudsafe
      https://ww(w.v0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtQL0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt0%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtY0%Avira URL Cloudsafe
      https://User-Agent:Mozilla/4.00%Avira URL Cloudsafe
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtD0%Avira URL Cloudsafe
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/0%Avira URL Cloudsafe
      No contacted domains info
      NameMaliciousAntivirus DetectionReputation
      http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtfalse
      • Avira URL Cloud: safe
      unknown
      http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtfalse
      • Avira URL Cloud: safe
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://www.eyuyan.com)DVarFileInfo$208.exefalse
        high
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtI208.exe, 00000000.00000002.2567616480.0000000000B14000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://ocsp.t208.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtK208.exe, 00000000.00000002.2567616480.0000000000ACF000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txteM208.exe, 00000006.00000002.2567676900.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://.httpsset-cookie:;;208.exefalse
        • Avira URL Cloud: safe
        unknown
        http://ts-ocsp.ws.s208.exefalse
        • Avira URL Cloud: safe
        unknown
        http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt/208.exe, 00000000.00000002.2567616480.0000000000B32000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        https://note.youdao.com/yws/public/note/03cb89fe74e7b4305099ed5dabde2135?sev=j1208.exefalse
          high
          http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtQ208.exe, 00000000.00000002.2567616480.0000000000AF2000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://ts-ocsp.ws.symantec.208.exefalse
          • Avira URL Cloud: safe
          unknown
          http://sf.symc208.exefalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtC:208.exefalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txt&208.exe, 00000000.00000002.2567616480.0000000000B32000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtY208.exe, 00000006.00000002.2567676900.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://ww(w.v208.exefalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txtQL208.exe, 00000006.00000002.2567676900.0000000000C9E000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://User-Agent:Mozilla/4.0208.exefalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E5%AD%98%E6%A1%A3/.txtD208.exe, 00000006.00000002.2567676900.0000000000D00000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://42.193.100.57/%E5%AD%98%E6%A1%A3/208.exefalse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          42.193.100.57
          unknownChina
          4249LILLY-ASUSfalse
          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1559174
          Start date and time:2024-11-20 09:20:31 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 40s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:10
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:208.exe
          Detection:MAL
          Classification:mal84.evad.winEXE@2/10@0/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:Failed
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
          • VT rate limit hit for: 208.exe
          TimeTypeDescription
          09:21:38AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\user\Desktop\208.exe
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          42.193.100.57#U4fdd#U62a4#U795e1.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57/%E5%8D%83%E5%8D%83%E6%99%9A%E6%98%9F16.exe
          213.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
          211.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
          212.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
          214.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57/%E5%AD%98%E6%A1%A3/.txt
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          LILLY-ASUS#U4fdd#U62a4#U795e1.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57
          213.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57
          211.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57
          212.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57
          214.exeGet hashmaliciousUnknownBrowse
          • 42.193.100.57
          SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
          • 43.155.76.124
          arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
          • 43.52.215.121
          arm.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
          • 43.152.251.74
          x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
          • 40.221.176.183
          https://trackwniw.top/iGet hashmaliciousUnknownBrowse
          • 43.130.33.71
          No context
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\4c51f6.tmp211.exeGet hashmaliciousUnknownBrowse
            212.exeGet hashmaliciousUnknownBrowse
              214.exeGet hashmaliciousUnknownBrowse
                SecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
                  file.exeGet hashmaliciousUnknownBrowse
                    file.exeGet hashmaliciousUnknownBrowse
                      file.exeGet hashmaliciousUnknownBrowse
                        BCNFNjvJNq.exeGet hashmaliciousADWIND, Lokibot, Ramnit, SalityBrowse
                          cnlg48.exeGet hashmaliciousUnknownBrowse
                            Lisect_AVT_24003_G1A_54.exeGet hashmaliciousBdaejecBrowse
                              C:\Users\user\AppData\Local\Temp\4c5264.tmp99.exeGet hashmaliciousUnknownBrowse
                                211.exeGet hashmaliciousUnknownBrowse
                                  212.exeGet hashmaliciousUnknownBrowse
                                    214.exeGet hashmaliciousUnknownBrowse
                                      SecuriteInfo.com.Win32.Evo-gen.19313.28597.exeGet hashmaliciousUnknownBrowse
                                        file.exeGet hashmaliciousUnknownBrowse
                                          file.exeGet hashmaliciousUnknownBrowse
                                            file.exeGet hashmaliciousUnknownBrowse
                                              FZ6oyLoqGM.exeGet hashmaliciousUnknownBrowse
                                                Lisect_AVT_24003_G1A_54.exeGet hashmaliciousBdaejecBrowse
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1699896
                                                  Entropy (8bit):6.290547513916722
                                                  Encrypted:false
                                                  SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                  MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                  SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                  SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                  SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: 211.exe, Detection: malicious, Browse
                                                  • Filename: 212.exe, Detection: malicious, Browse
                                                  • Filename: 214.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: BCNFNjvJNq.exe, Detection: malicious, Browse
                                                  • Filename: cnlg48.exe, Detection: malicious, Browse
                                                  • Filename: Lisect_AVT_24003_G1A_54.exe, Detection: malicious, Browse
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1679648
                                                  Entropy (8bit):5.3288490918902225
                                                  Encrypted:false
                                                  SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                  MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                  SHA1:159434853CE512029314C6B70070220D251A924A
                                                  SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                  SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Joe Sandbox View:
                                                  • Filename: 99.exe, Detection: malicious, Browse
                                                  • Filename: 211.exe, Detection: malicious, Browse
                                                  • Filename: 212.exe, Detection: malicious, Browse
                                                  • Filename: 214.exe, Detection: malicious, Browse
                                                  • Filename: SecuriteInfo.com.Win32.Evo-gen.19313.28597.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: file.exe, Detection: malicious, Browse
                                                  • Filename: FZ6oyLoqGM.exe, Detection: malicious, Browse
                                                  • Filename: Lisect_AVT_24003_G1A_54.exe, Detection: malicious, Browse
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1699896
                                                  Entropy (8bit):6.290547513916722
                                                  Encrypted:false
                                                  SSDEEP:24576:0Na0qyFU/vb313JPCGucMBbruVALdpNQHKl3y9UfSj6HYZY8zCixcq:kFU3b3HucMBbrb/qj98deCNq
                                                  MD5:5564A98A4692BA8B2D25770FB834D5F6
                                                  SHA1:129D030D817F6B25D1FDEF2CAD33EB81DE1DEA8B
                                                  SHA-256:28AB9A0F5F50FD5398324B5EC099F5C53C6FAA701C3F6D8B0B3DA47A76C56230
                                                  SHA-512:D803E2E3425095E170910103A4470C598FD4A9A10C1217A006A6393CD1ECA06D1C628E845F6FD1071F1C92778D481F47E4E5F175005FEC2CB0A7519C90992858
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-.=FizS.izS.izS.2.P.jzS.}.S.hzS.}.P./zS.}.].q{S.}.V.rzS.}.W..zS.}...hzS.}.Q.hzS.RichizS.........................PE..L..................!.........................0....(K.........................@......,.....@A............................U...............................8`.......Q..0z..p............................................................................text...%........................... ..`RT.................................. ..`PAGE....:.... ...................... ..`.data....Z...0......................@....mrdata.x#.......$..................@....00cfg...............:..............@..@.rsrc................<..............@..@.reloc...Q.......R...>..............@..B................................................................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:modified
                                                  Size (bytes):1679648
                                                  Entropy (8bit):5.3288490918902225
                                                  Encrypted:false
                                                  SSDEEP:24576:nB79uCigstmh6JVZ3et1NtJJBwuCx59U4IgL5pc6:JXh2LeXJBwuOTU4I56
                                                  MD5:2E8AB67DC55089DFBCBFA7710BD15B07
                                                  SHA1:159434853CE512029314C6B70070220D251A924A
                                                  SHA-256:2BCC4FD8A4D3C4033A81702E1B685860BE78D6F1A7E980F2E7593C59656F2706
                                                  SHA-512:7898B7B48685A2079BC77210464C448025E5BECB25EDDF3FB612A320B627FDB45AFF12D4913ADA98524E2C4718D74E911CE007F4DE6E3F2BB7184CDFAC5A0E5F
                                                  Malicious:false
                                                  Antivirus:
                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                  Reputation:moderate, very likely benign file
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l=..(\.H(\.H(\.H!$4Hd\.H<7.I!\.H(\.H)X.H<7.I)\.H<7.I!\.H<7.I.\.H<7.I'\.H<7XH)\.H<7.I)\.HRich(\.H........PE..L...-..?...........!.....0...:...............@.....i................................=.....@A............................(s..X...\.... ...............B.. _...@..$g.. Q..T...............................................L...<........................text...8/.......0.................. ..`.data....2...@.......4..............@....idata..`............<..............@..@.didat..x...........................@....rsrc........ ......................@..@.reloc..$g...@...h..................@..B........................................................................................................................................................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PC bitmap, Windows 3.x format, 43 x 25 x 24, image size 3300, cbSize 3354, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):3354
                                                  Entropy (8bit):2.989481212693407
                                                  Encrypted:false
                                                  SSDEEP:12:hqVRlllllllllLlll7lllllllllp9l+fs9WLtOlqTT9WLXLELc9WLccwlVLcEAAZ:pIsgTZMY
                                                  MD5:6391A0DCDD648730D0801673DAA5E9C9
                                                  SHA1:023E19E73F390D6C976A75E4804E356F8D4E2B79
                                                  SHA-256:8CBC9646B997839C056FA4C663B843971C084CDC044502753A543D83D35092C5
                                                  SHA-512:17C8C196F2D27928FA01E2A461E9F2400E1ACFE73B50A3B3B9A03C3117D2EEC346E9032CE35DA508C26BE561404142DD073D5F7E393729160830EE148C5F4536
                                                  Malicious:false
                                                  Preview:BM........6...(...+...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%..%........%..%..%..%..%..%..%..%.....%..%..%..%..%..%..%..%..%..%..%..%..........................%..%.........................................%..%..%..%..%..%..%..%.....%..%..%..%..%..%......
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PC bitmap, Windows 3.x format, 122 x 40 x 24, image size 14720, cbSize 14774, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):14774
                                                  Entropy (8bit):4.868699837953847
                                                  Encrypted:false
                                                  SSDEEP:384:fDinzsGO052UtTri2fzOJ3pzvdTzD8mZxEBxQ74w2jBfG79s6OY:riA/w1ObZSny4dRI9Hh
                                                  MD5:EE883808D176D23096A2D4F339C84368
                                                  SHA1:D901775EDE136567215ABE718023C1A62F46A0A6
                                                  SHA-256:3D28C7A863B6E937EBC72AD585F94359B6BC2FF8523173DB0FEEFBC803AB372B
                                                  SHA-512:F14CF6522847121246B7913FA1C800227EEEAFAE5F7AA44D2E45ED55EC50B2A729C109B222D0F2E3FECFB3B16031AEF742C286DA0393322A73C4B182C71033D3
                                                  Malicious:false
                                                  Preview:BM.9......6...(...z...(............9..............................................................................................................................~..~..~..~..}..}..}..}..|..|..{..{..{..{..z..z..z..z..y..y..x..y..x..x..w..x..w..w..v..v..v..v..u..u..t..t..t..t..s..s..s..s..r..r..q..r..q..q..p..q..p..p..o..o..o..o..n..n..m..n..m..m..l..l..l..l..k..k..j..k................................................................................................................~..~..}..}..}..}..|..|..|..|..{..{..z..{..z..z..y..z..y..y..x..x..x..x..w..w..v..v..v..v..u..u..u..u..t..t..s..t..s..s..r..s..r..r..q..q..q..q..p..p..o..p..o..o..n..n..n..n..m..m..l..m..l..l..k..l..k..k..j..j...............................................................................................................~..~..~..~..}..}..|..}..|..|..{..{..{..{..z..z..y..z.
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PC bitmap, Windows 3.x format, 124 x 21 x 24, image size 7812, cbSize 7866, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):7866
                                                  Entropy (8bit):2.8370523003123043
                                                  Encrypted:false
                                                  SSDEEP:24:o4XlQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQP:T+QgQ2VQPQ/QNQmQTQGQKxQyQIHiw1
                                                  MD5:5D70530E3663B004B68425154CB9AFB9
                                                  SHA1:46CFADA3D2EDE8A3280598BD4E2EC89CE0C7D56F
                                                  SHA-256:0818DF2198DA1889321E82F769F3AA6B01F9CD773987354A8F5E0908379F45CE
                                                  SHA-512:824569EAB3FBB412708BB35CDF0A3630289008307A518E68253CFAAD379CFB830C56A2582D2FB071561BF2FB3ADB2535CEBA13319A3A096009357E152022119E
                                                  Malicious:false
                                                  Preview:BM........6...(...|...................................%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%..%
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PC bitmap, Windows 3.x format, 132 x 32 x 24, image size 12672, cbSize 12726, bits offset 54
                                                  Category:dropped
                                                  Size (bytes):12726
                                                  Entropy (8bit):5.79054775797227
                                                  Encrypted:false
                                                  SSDEEP:384:xcEOHiLY/s8/wo4C4tPzSrEEBN/LMzeW1:xcdHiLeF4Q4pSY+hLMzv
                                                  MD5:FA9FA099399E2ADF93BE1348C4AED087
                                                  SHA1:3FB710D8AD919AE6783E222DF46305E39FA81098
                                                  SHA-256:3749B52884564A500221E53DE5FCF24A2F6E3EDB4E58ADB13CF2B5F8F422BA7B
                                                  SHA-512:A6D378F8AD7EFAF4A3067D3F601AFAB53C83947DA29C9F6A21BAD21F287D2CAB093939BD017F32971EE6B3DA1EC82BE6D59234CB446A325A33C8AA5215200DD8
                                                  Malicious:false
                                                  Preview:BM.1......6...(....... ............1..................................................................................................................................................................................................................................................................................................~..~..}..}..|..|..{..|..{..{..z..z..y..y..x..x..x..w..w..w..................................................................................................................................................................................................................................................................................~..~..}..~..}..}..|..|..{..{..z..z..z..z..y..y..x..x..w..w....................................................................................................................................................
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PC bitmap, Windows 3.x format, 312 x 196 x 24, image size 183456, cbSize 183510, bits offset 54
                                                  Category:modified
                                                  Size (bytes):183510
                                                  Entropy (8bit):5.556020063769881
                                                  Encrypted:false
                                                  SSDEEP:3072:6Sv2XACrsCmcuRGDpKiVarMsILpZTjDuD:rv2tNRdn5hpZvQ
                                                  MD5:1C4B3140D22A2921DC9E023E3E68963E
                                                  SHA1:0D4F280950E2221F30D40DF40A14C496FD5B9723
                                                  SHA-256:4F7D1D27980D902757136771413B5B9E681D7D5664259F8C0914DAEF986F1614
                                                  SHA-512:F0615BDA954AA84B871237F7BD64046BB99CAD7EE1CB43C28917B13EB5EC08120E659138C721A660D8B00567E00B79BB6C9384ED30E8EB522D84617177642037
                                                  Malicious:false
                                                  Preview:BM........6...(...8...................................Y,.]..[,.U(.Y+.Y*.V).V(.S&.W(.V(.V).Y*.[,.\-.U(.]..U(.W).W).X*.R%.X*.S'.X*.S&.S&.V).V(.T&.T'.V).T'.N#.X).X+.T&.S'.S&.S&.V(.V*.V(.U).R%.U(.P%.S'.S'.T'.U'.U).X*.X+.V).S'.T(.U(.X).b1.]..T'.P$.S&.T(.V+.Y,.Q%.R(.U).T(.R%.T(.V).P%.S'.S'.S&.U).U).V*.T'.R&.Q'.O$.T(.S(.N#.S'.S(.T'.S(.M#.S(.X,.Q'.P%.R'.N$.P'.O%.K".Q&.N%.R(.M$.M$.L#.L#.M#.R).K#.O&.Q'.N%.M#.N$.T'.O%.Q'.U).R(.R(.Q(.T+.U+.X..T+.T*.U+.W,.T+.S*.W-.R).U+.U+.U-.V-.R).S+.Q).T*.Q).T+.W,.P(.T+.U,.R).Q).Q*.Q).Q).T+.X..S*.Q*.N'.O(.Q).U-.T,.R*.S+.R*.R).Q*.P(.Q+.P'.S,.T-.R+.P,.P+.P,.M(.P(.R,.Q+.P*.Q).V..R,.T,.N).Q+.R+.T..L(.C&.<$.8 .:#.:#.<%.<#.6..@'.8!.5..5..:".8!.@'.;$.9#.:#.9!.>$.7 .;#.<$.;#.D).<#.6..;#.=$.;$.=$.8..:".;#.:!.8".9!.<#.<$.<#.<%.:#.;#.;".9!.<$.<$.:!.<$.;#.<#.:!.E).A(.>%.<$.:#.:".:#.>&.<$.<$.=%.=%.;$.C(.@&.?'.;$.=$.<".>%.8!.;#.9!.>%.<$.>&.>&.;$.=$.>$.<$.A'.?%.6..:".?%.:".:".<#.@&.:#.:#.=$.:".?$.:!.B'.>$.<#.>$.D'.9!.@%.@%.?&.=$.=$.=#.;".:".>#.@'.>%.>%.?&.?$.>%.>$.?$.c3.R%.W(.R
                                                  Process:C:\Users\user\Desktop\208.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):687517
                                                  Entropy (8bit):7.999653084247243
                                                  Encrypted:true
                                                  SSDEEP:12288:nAPtAe/2ByNkI6K8Pi7GMskNEkzJ0x1d2GpSI5EwLtwun3aPh:nEtAemv+hNZGTds9UtwgqPh
                                                  MD5:4B7109E2F77FF15219B81079DF8C12B2
                                                  SHA1:AB3BF417AF304B83CD49707E399BC06E1E10D519
                                                  SHA-256:BE7A0A59B36299F40D6AC2FC126ACFD6C8BBFF8C4F8D9D85267DF3E2E1E3AED3
                                                  SHA-512:770EBECF21AAD663BB27F7800AE476FF3B9EF444FF661916CB50E65AE4987DDE7413E4AE83FD152C47A296C13E41D4544AED3C780F0F5958BB605F57016537E7
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 73%
                                                  Preview:MZKERNEL32.DLL..LoadLibraryA....GetProcAddress..UpackByDwing@...PE..L..................!...9.`..........`X.......p......................................................................,[..q....[..............................H........................................................................................Upack..............................`....rsrc............{..................`........[...............Z...Z...Z...Z...Z.......Z...Z...X.......[.......Y......|...........u...............................*..T...h........Zx.)1Y"F..,...L..F.4."W|..5P......A...c]...J..X.;/.T..|...~.d.W..........(k.../.!.y..0Kol.Ty..N...yg....-.GI....@.c..g:...!.Oo..j..N.h6x..9)B.Iw.4Z}..g.CCN......X...:.`......!y.p.^=..;..!.......83..W..W...h.?$R.Q....$..+......... 6....3..i...<.Z.\...r.T....,.).s..~.V.......^].k.[....bQ....+Y.';C.._.R. fq......y..X.8t2.J.....4B...m.....A...a.8..F....51mt6e..Yec..A...q......:..)..l.O!.S..8.f..X....k.....!B..Z<.\.C....kc(...0..#.M}+@..X.g;P..r....x.
                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):6.0764393806045005
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:208.exe
                                                  File size:5'218'304 bytes
                                                  MD5:1303d1bb003a5cdbfba7b1628760171b
                                                  SHA1:d82b0078d33249ed5301140cc50328f4095bd822
                                                  SHA256:fc29d31a9f14f38b2bff9a3902d49d74cf52abe54548edbed4987abd9c5104b2
                                                  SHA512:810336cd6d71d868d63b370e997cb6e832e497fe060cbb8b7716d126033d4bbf5193fbcdbc11d49ec467fcdb59060a6661a0f98ef84c86ef45ada36e0a90ef78
                                                  SSDEEP:98304:hXafXDDNmfInViKoRdqPI2SBNFhrSBNFhI:hXarsgoDDwDy
                                                  TLSH:AF366A03F2128866E1052AB52172EF38D67A8FB42975CA47E7FCFC73BE725534A1114A
                                                  File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......L..A............s.......g.......g...........$...^...$...j.......................>...c...>...................i...............S..
                                                  Icon Hash:0f396deccc4d6555
                                                  Entrypoint:0x52df18
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                  DLL Characteristics:
                                                  Time Stamp:0x66FA370B [Mon Sep 30 05:28:43 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:04c7a30e342800eb893154d4d8d3104c
                                                  Instruction
                                                  push ebp
                                                  mov ebp, esp
                                                  push FFFFFFFFh
                                                  push 007C8D08h
                                                  push 00530D84h
                                                  mov eax, dword ptr fs:[00000000h]
                                                  push eax
                                                  mov dword ptr fs:[00000000h], esp
                                                  sub esp, 58h
                                                  push ebx
                                                  push esi
                                                  push edi
                                                  mov dword ptr [ebp-18h], esp
                                                  call dword ptr [005513E8h]
                                                  xor edx, edx
                                                  mov dl, ah
                                                  mov dword ptr [00827EACh], edx
                                                  mov ecx, eax
                                                  and ecx, 000000FFh
                                                  mov dword ptr [00827EA8h], ecx
                                                  shl ecx, 08h
                                                  add ecx, edx
                                                  mov dword ptr [00827EA4h], ecx
                                                  shr eax, 10h
                                                  mov dword ptr [00827EA0h], eax
                                                  push 00000001h
                                                  call 00007F128D0F68A7h
                                                  pop ecx
                                                  test eax, eax
                                                  jne 00007F128D0F088Ah
                                                  push 0000001Ch
                                                  call 00007F128D0F0948h
                                                  pop ecx
                                                  call 00007F128D0F6652h
                                                  test eax, eax
                                                  jne 00007F128D0F088Ah
                                                  push 00000010h
                                                  call 00007F128D0F0937h
                                                  pop ecx
                                                  xor esi, esi
                                                  mov dword ptr [ebp-04h], esi
                                                  call 00007F128D0F6480h
                                                  call dword ptr [00551358h]
                                                  mov dword ptr [0082D0E4h], eax
                                                  call 00007F128D0F633Eh
                                                  mov dword ptr [00827E18h], eax
                                                  call 00007F128D0F60E7h
                                                  call 00007F128D0F6029h
                                                  call 00007F128D0F4F5Ah
                                                  mov dword ptr [ebp-30h], esi
                                                  lea eax, dword ptr [ebp-5Ch]
                                                  push eax
                                                  call dword ptr [005511C8h]
                                                  call 00007F128D0F5FBAh
                                                  mov dword ptr [ebp-64h], eax
                                                  test byte ptr [ebp-30h], 00000001h
                                                  je 00007F128D0F0888h
                                                  movzx eax, word ptr [ebp+00h]
                                                  Programming Language:
                                                  • [C++] VS98 (6.0) SP6 build 8804
                                                  • [ C ] VS98 (6.0) SP6 build 8804
                                                  • [C++] VS98 (6.0) build 8168
                                                  • [ C ] VS98 (6.0) build 8168
                                                  • [EXP] VC++ 6.0 SP5 build 8804
                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3d1cb80x12c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x42e0000x10ce8c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1510000x7d8.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x14f1ee0x1500006c20415c7a862236a0eb5ee707e9f1d2False0.4084523518880208data6.41756091553701IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x1510000x2835440x284000f7168b9fe7a7b5822811d948d6d716cfunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x3d50000x580ea0x180002cafcd7afb6bed2599e3fa82b9c16f2bFalse0.3038126627604167data5.065383226996989IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x42e0000x10ce8c0x10d000601614f05dd0d098d59b3e8355b6d7ccFalse0.31927966717007433data4.0706928898165975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  TEXTINCLUDE0x42eb9c0xbASCII text, with no line terminatorsChineseChina1.7272727272727273
                                                  TEXTINCLUDE0x42eba80x16dataChineseChina1.3636363636363635
                                                  TEXTINCLUDE0x42ebc00x151C source, ASCII text, with CRLF line terminatorsChineseChina0.6201780415430267
                                                  RT_CURSOR0x42ed140x134dataChineseChina0.5811688311688312
                                                  RT_CURSOR0x42ee480x134Targa image data - Map 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
                                                  RT_CURSOR0x42ef7c0x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
                                                  RT_CURSOR0x42f0b00xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
                                                  RT_BITMAP0x42f1640x248Device independent bitmap graphic, 64 x 15 x 4, image size 480ChineseChina0.3407534246575342
                                                  RT_BITMAP0x42f3ac0x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.4444444444444444
                                                  RT_BITMAP0x42f4f00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.26453488372093026
                                                  RT_BITMAP0x42f6480x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2616279069767442
                                                  RT_BITMAP0x42f7a00x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2441860465116279
                                                  RT_BITMAP0x42f8f80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.24709302325581395
                                                  RT_BITMAP0x42fa500x158Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/mChineseChina0.2238372093023256
                                                  RT_BITMAP0x42fba80x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.19476744186046513
                                                  RT_BITMAP0x42fd000x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.20930232558139536
                                                  RT_BITMAP0x42fe580x158Device independent bitmap graphic, 20 x 20 x 4, image size 240ChineseChina0.18895348837209303
                                                  RT_BITMAP0x42ffb00x5e4Device independent bitmap graphic, 70 x 39 x 4, image size 1404ChineseChina0.34615384615384615
                                                  RT_BITMAP0x4305940xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
                                                  RT_BITMAP0x43064c0x16cDevice independent bitmap graphic, 39 x 13 x 4, image size 260ChineseChina0.28296703296703296
                                                  RT_BITMAP0x4307b80x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
                                                  RT_ICON0x4308fc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640ChineseChina0.26344086021505375
                                                  RT_ICON0x430be40x128Device independent bitmap graphic, 16 x 32 x 4, image size 192ChineseChina0.41216216216216217
                                                  RT_ICON0x430d0c0x108028Device independent bitmap graphic, 512 x 1024 x 32, image size 20971520.32723045349121094
                                                  RT_MENU0x538d340xcdataChineseChina1.5
                                                  RT_MENU0x538d400x284dataChineseChina0.5
                                                  RT_DIALOG0x538fc40x98dataChineseChina0.7171052631578947
                                                  RT_DIALOG0x53905c0x17adataChineseChina0.5185185185185185
                                                  RT_DIALOG0x5391d80xfadataChineseChina0.696
                                                  RT_DIALOG0x5392d40xeadataChineseChina0.6239316239316239
                                                  RT_DIALOG0x5393c00x8aedataChineseChina0.39603960396039606
                                                  RT_DIALOG0x539c700xb2dataChineseChina0.7359550561797753
                                                  RT_DIALOG0x539d240xccdataChineseChina0.7647058823529411
                                                  RT_DIALOG0x539df00xb2dataChineseChina0.6629213483146067
                                                  RT_DIALOG0x539ea40xe2dataChineseChina0.6637168141592921
                                                  RT_DIALOG0x539f880x18cdataChineseChina0.5227272727272727
                                                  RT_STRING0x53a1140x50dataChineseChina0.85
                                                  RT_STRING0x53a1640x2cdataChineseChina0.5909090909090909
                                                  RT_STRING0x53a1900x78dataChineseChina0.925
                                                  RT_STRING0x53a2080x1c4dataChineseChina0.8141592920353983
                                                  RT_STRING0x53a3cc0x12adataChineseChina0.5201342281879194
                                                  RT_STRING0x53a4f80x146dataChineseChina0.6288343558282209
                                                  RT_STRING0x53a6400x40dataChineseChina0.65625
                                                  RT_STRING0x53a6800x64dataChineseChina0.73
                                                  RT_STRING0x53a6e40x1d8dataChineseChina0.6758474576271186
                                                  RT_STRING0x53a8bc0x114dataChineseChina0.6376811594202898
                                                  RT_STRING0x53a9d00x24dataChineseChina0.4444444444444444
                                                  RT_GROUP_CURSOR0x53a9f40x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                  RT_GROUP_CURSOR0x53aa080x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.25
                                                  RT_GROUP_CURSOR0x53aa1c0x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
                                                  RT_GROUP_ICON0x53aa400x14Targa image data - Map 32 x 32808 x 161.1
                                                  RT_GROUP_ICON0x53aa540x14dataChineseChina1.2
                                                  RT_GROUP_ICON0x53aa680x14dataChineseChina1.25
                                                  RT_VERSION0x53aa7c0x240dataChineseChina0.5642361111111112
                                                  RT_MANIFEST0x53acbc0x1cdXML 1.0 document, ASCII text, with very long lines (461), with no line terminators0.5878524945770065
                                                  DLLImport
                                                  WINMM.dllmidiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutGetNumDevs
                                                  WS2_32.dllWSAAsyncSelect, closesocket, send, select, WSAStartup, inet_ntoa, recvfrom, ioctlsocket, recv, getpeername, accept, WSACleanup, ntohl
                                                  RASAPI32.dllRasGetConnectStatusA, RasHangUpA
                                                  KERNEL32.dllMultiByteToWideChar, SetLastError, GetTimeZoneInformation, OpenProcess, TerminateThread, FileTimeToSystemTime, CreateMutexA, ReleaseMutex, SuspendThread, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, LocalFree, WideCharToMultiByte, InterlockedDecrement, InterlockedIncrement, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GetDriveTypeA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, ExpandEnvironmentStringsA, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, SetFileAttributesA, InterlockedExchange, GetFileAttributesA, DeleteFileA, GetCurrentDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, GetVersion
                                                  USER32.dllSetWindowRgn, DestroyAcceleratorTable, GetWindow, GetActiveWindow, SetFocus, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, IsIconic, PeekMessageA, SetMenu, GetMenu, DeleteMenu, GetSystemMenu, DefWindowProcA, GetClassInfoA, IsZoomed, PostQuitMessage, CopyAcceleratorTableA, GetKeyState, TranslateAcceleratorA, IsWindowEnabled, ShowWindow, SystemParametersInfoA, LoadImageA, EnumDisplaySettingsA, ClientToScreen, EnableMenuItem, GetSubMenu, GetDlgCtrlID, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, CreateAcceleratorTableA, LoadStringA, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, CreateMenu, ModifyMenuA, AppendMenuA, CreatePopupMenu, DrawIconEx, CreateIconFromResource, CreateIconFromResourceEx, RegisterClipboardFormatA, SetRectEmpty, DispatchMessageA, GetMessageA, WindowFromPoint, DrawFocusRect, DrawEdge, DrawFrameControl, TranslateMessage, LoadIconA, UnregisterClassA, GetDesktopWindow, GetClassNameA, GetWindowThreadProcessId, GetDlgItem, GetWindowTextA, CallWindowProcA, CreateWindowExA, RegisterHotKey, UnregisterHotKey, SetWindowTextA, GetSysColorBrush, FindWindowA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow
                                                  GDI32.dllPtVisible, GetViewportExtEx, ExtSelectClipRgn, LineTo, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, RealizePalette, SelectPalette, StretchBlt, CreatePalette, RectVisible, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, CreateRectRgnIndirect, SetBkColor, CreateFontA, TranslateCharsetInfo, MoveToEx, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, TextOutA, ExtTextOutA, Escape, GetTextMetricsA, CreateCompatibleDC, BitBlt, StartPage, StartDocA, DeleteDC, EndDoc, EndPage, GetObjectA, GetStockObject, CreateFontIndirectA, CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreateBitmap, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetSystemPaletteEntries, GetDIBits
                                                  WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                                                  ADVAPI32.dllRegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegQueryValueA, RegCreateKeyExA, RegOpenKeyA, RegCloseKey
                                                  SHELL32.dllShell_NotifyIconA, SHGetSpecialFolderPathA, SHChangeNotify, ShellExecuteA, DragQueryFileA, DragFinish, DragAcceptFiles
                                                  ole32.dllCLSIDFromProgID, OleRun, CoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize
                                                  OLEAUT32.dllVariantChangeType, VariantClear, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetElement, VariantCopyInd, VariantInit, SysAllocString, SafeArrayDestroy, SafeArrayGetDim, SafeArrayCreate, SafeArrayUnaccessData, UnRegisterTypeLib, LoadTypeLib, LHashValOfNameSys, RegisterTypeLib, SafeArrayPutElement, SafeArrayAccessData
                                                  COMCTL32.dllImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_Destroy, ImageList_DragEnter, ImageList_DragLeave, ImageList_DragMove, ImageList_DragShowNolock, ImageList_EndDrag
                                                  WININET.dllInternetCanonicalizeUrlA, InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetReadFile
                                                  comdlg32.dllChooseColorA, GetOpenFileNameA, GetFileTitleA, GetSaveFileNameA
                                                  Language of compilation systemCountry where language is spokenMap
                                                  ChineseChina
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 20, 2024 09:21:32.550746918 CET4970280192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:32.556516886 CET804970242.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:32.556592941 CET4970280192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:32.572210073 CET4970280192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:32.577223063 CET804970242.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:32.703547001 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:32.708972931 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:32.709022999 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:33.430815935 CET804970242.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:33.430830956 CET804970242.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:33.430839062 CET804970242.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:33.430906057 CET4970280192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:33.431057930 CET804970242.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:33.431071043 CET804970242.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:33.431114912 CET4970280192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:33.703653097 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:33.708780050 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:33.708878994 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:33.709151983 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:33.714025974 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:34.643922091 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:34.643934965 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:34.643953085 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:34.643965006 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:34.643975973 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:34.643986940 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:34.643991947 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:34.644026041 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:34.644056082 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:39.221534014 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:39.227308989 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:39.638026953 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:39.638041973 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:39.638052940 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:39.638120890 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:39.639607906 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:39.639705896 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:39.642173052 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:39.642276049 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:46.259401083 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:46.266944885 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:46.669811964 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:46.669821024 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:46.669874907 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:49.843955040 CET4981480192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:49.851689100 CET804981442.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:49.851788998 CET4981480192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:49.853832960 CET4981480192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:49.861222982 CET804981442.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:50.190896034 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:50.195934057 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:50.196029902 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:50.196172953 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:50.205063105 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:50.940685034 CET804981442.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:50.940702915 CET804981442.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:50.940713882 CET804981442.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:50.940769911 CET4981480192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:50.940810919 CET4981480192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:50.940830946 CET804981442.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:50.940843105 CET804981442.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:50.940888882 CET4981480192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:51.273374081 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:51.273386002 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:51.273397923 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:51.273458004 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:51.273510933 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:51.273611069 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:51.273622036 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:51.273633003 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:51.273660898 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:51.273704052 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:57.067079067 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:57.072118998 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:57.474848032 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:57.474862099 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:57.474873066 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:57.474905968 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:57.474915981 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:57.474920034 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:57.474952936 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:57.474981070 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:57.475052118 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:57.475061893 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:21:57.475091934 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:21:57.475104094 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:22:04.017035961 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:22:04.023380995 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:22:04.425466061 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:22:04.425477982 CET804981542.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:22:04.425607920 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:22:04.425700903 CET4981580192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:23:22.095302105 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:23:22.095381021 CET4970280192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:23:22.100514889 CET804970342.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:23:22.100955963 CET804970242.193.100.57192.168.2.7
                                                  Nov 20, 2024 09:23:22.101064920 CET4970380192.168.2.742.193.100.57
                                                  Nov 20, 2024 09:23:22.101074934 CET4970280192.168.2.742.193.100.57
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 20, 2024 09:22:15.822794914 CET5354872162.159.36.2192.168.2.7
                                                  Nov 20, 2024 09:22:16.323169947 CET53548361.1.1.1192.168.2.7
                                                  • 42.193.100.57
                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.74970242.193.100.57807496C:\Users\user\Desktop\208.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 20, 2024 09:21:32.572210073 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:21:33.430815935 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:21:33 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:21:33.430830956 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:21:33.430839062 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                  Data Ascii: 2III322
                                                  Nov 20, 2024 09:21:33.431057930 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                  Data Ascii: ORPG2
                                                  Nov 20, 2024 09:21:33.431071043 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                  Data Ascii: 242323


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.74970342.193.100.57807496C:\Users\user\Desktop\208.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 20, 2024 09:21:33.709151983 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:21:34.643922091 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:21:34 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:21:34.643934965 CET224INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:21:34.643953085 CET1236INData Raw: 0d 0a ce d2 d2 aa b4 f2 bd a9 ca ac 0d 0a d2 bb c9 ed d1 fd d7 b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce
                                                  Data Ascii: 2II2T
                                                  Nov 20, 2024 09:21:34.643965006 CET1236INData Raw: ae c3 fc d4 cb 0d 0a ca ae b5 ee d1 d6 c2 de 32 d7 a8 cb a2 c8 a8 cf de 0d 0a d0 a1 d0 a1 bd a3 ca a5 d7 a8 cb a2 c8 a8 cf de 0d 0a d2 bb c4 ee cd a8 cc ec d7 a8 cb a2 c8 a8 cf de 0d 0a cb c4 c9 fa ca d3 bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a b7 e7
                                                  Data Ascii: 2F38.26
                                                  Nov 20, 2024 09:21:34.643975973 CET1236INData Raw: af 0d 0a b7 e8 bf f1 b4 f2 bd f0 0d 0a cc b0 c0 b7 bf f3 bf d3 0d 0a c7 f3 cf c9 cc ec b5 c0 54 44 0d 0a b3 d4 ca e9 c9 fa b4 e6 0d 0a ba da bb ea c6 f4 ca be c2 bc 0d 0a ce d2 d4 da c3 f7 c4 a9 b5 b1 bd ab be fc 0d 0a be f8 ca c0 ce e4 bb ea 0d
                                                  Data Ascii: TD7
                                                  Nov 20, 2024 09:21:34.643991947 CET195INData Raw: d2 bb c9 ed c9 f1 d7 b0 33 0d 0a cc a4 cb e9 c8 fd bd e7 0d 0a d5 b6 d4 c2 cd c0 c1 fa 0d 0a d0 fe bb f0 b2 d4 f1 b7 0d 0a d3 a2 d0 db c2 b7 0d 0a be fc cd c5 d5 bd d5 f9 35 0d 0a b0 b5 ba da d1 ad bb b7 c8 a6 0d 0a c3 ce bc a3 c9 b3 ba d3 32 0d
                                                  Data Ascii: 35222
                                                  Nov 20, 2024 09:21:39.221534014 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:21:39.638026953 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:21:39 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:21:39.638041973 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:21:39.638052940 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                  Data Ascii: 2III322
                                                  Nov 20, 2024 09:21:39.639607906 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                  Data Ascii: ORPG2
                                                  Nov 20, 2024 09:21:39.642173052 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                  Data Ascii: 242323
                                                  Nov 20, 2024 09:21:46.259401083 CET164OUTGET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:21:46.669811964 CET1236INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:21:46 GMT
                                                  Content-Length: 1163
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]
                                                  Nov 20, 2024 09:21:46.669821024 CET64INData Raw: dd ca b1 b2 bb bf c9 d3 c3 a1 a3 3c 2f 68 33 3e 0d 0a 20 3c 2f 66 69 65 6c 64 73 65 74 3e 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: </h3> </fieldset></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.74981442.193.100.57808040C:\Users\user\Desktop\208.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 20, 2024 09:21:49.853832960 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:21:50.940685034 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:21:50 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:21:50.940702915 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:21:50.940713882 CET1236INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                  Data Ascii: 2III322
                                                  Nov 20, 2024 09:21:50.940830946 CET1236INData Raw: ca ac bf aa c5 da 0d 0a b1 ac cb ac cb a2 cb a2 cb a2 0d 0a e1 f7 c1 d4 b6 f1 c4 a7 0d 0a ca de b3 b1 c0 b4 cf ae 0d 0a d4 c6 c3 ce bd ad ba fe 0d 0a c5 da c5 da bb f0 c7 b9 ca d6 0d 0a b1 ac bf b3 ce d7 d1 fd cd f5 0d 0a ce fc d1 aa b9 ed d6 ae
                                                  Data Ascii: ORPG2
                                                  Nov 20, 2024 09:21:50.940843105 CET419INData Raw: 0a be f8 b6 d4 b7 c0 ca d8 32 0d 0a bb c3 cf eb b7 e7 bb aa c2 bc 0d 0a bd a8 bb f9 b5 d8 b1 a9 b4 f2 b2 bb cb c0 d7 e5 0d 0a cc ec c3 fc d4 da ce d2 0d 0a cd f2 bd e7 c9 f1 d7 f0 0d 0a c3 ce bc a3 c9 b3 ba d3 34 0d 0a bb c3 da a4 ca a5 bd e7 0d
                                                  Data Ascii: 242323


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.74981542.193.100.57808040C:\Users\user\Desktop\208.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 20, 2024 09:21:50.196172953 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:21:51.273374081 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:21:50 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:21:51.273386002 CET1236INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:21:51.273397923 CET376INData Raw: 0a ca ae b5 ee d1 d6 c2 de 32 b5 f6 d3 e3 0d 0a d3 a2 c1 e9 b4 ab cb b5 d0 de b8 b4 d7 a8 ca f4 0d 0a cb a2 b9 d6 b4 f2 c7 ae 0d 0a d0 f2 c1 d0 d5 bd d5 f9 0d 0a b9 ad ca d6 b4 f3 d7 f7 d5 bd 0d 0a bb ec c2 d2 ce e4 c1 d6 49 49 49 0d 0a cc d3 c0
                                                  Data Ascii: 2III322
                                                  Nov 20, 2024 09:21:51.273611069 CET1236INData Raw: cc a4 cb e9 c8 fd bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a bc b4 bd ab bd f8 bb af d7 a8 cb a2 c8 a8 cf de 0d 0a bd f8 bb af d2 bb cd b7 d6 ed d7 a8 cb a2 c8 a8 cf de 0d 0a d1 fd cd f5 b4 ab 0d 0a d6 c1 b8 df c9 f1 cd f5 0d 0a cb e9 bf d5 d6 f7 d4 d7
                                                  Data Ascii: 8.264FORPG
                                                  Nov 20, 2024 09:21:51.273622036 CET1236INData Raw: c4 a9 c8 d5 d6 ae b9 ad 0d 0a d3 d0 d6 b0 d7 aa c9 fa 0d 0a b7 e7 b1 a9 d5 bd bc c7 0d 0a d2 bb b0 d1 b9 ad 0d 0a cd f2 bb ea be f5 d0 d1 0d 0a d7 ee bf ec b5 c4 b5 b6 0d 0a ca d8 c1 cb b8 f6 cb fe 0d 0a d0 c2 d5 da cc ec d6 ae e1 db 0d 0a c4 a7
                                                  Data Ascii: X
                                                  Nov 20, 2024 09:21:51.273633003 CET43INData Raw: b4 ab 0d 0a c2 cc c9 ab d1 ad bb b7 c8 a6 ba a3 c1 bf b0 e6 0d 0a d0 c2 c9 f1 bd e7 ce a3 bb fa 0d 0a d0 fe cc ec c9 f1 c2 bc 32
                                                  Data Ascii: 2
                                                  Nov 20, 2024 09:21:57.067079067 CET181OUTGET /%E8%87%AA%E5%B7%B1%E7%9A%84%E6%A1%A3.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:21:57.474848032 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/plain
                                                  Last-Modified: Wed, 20 Nov 2024 07:29:57 GMT
                                                  Accept-Ranges: bytes
                                                  ETag: "c04e101e3bdb1:0"
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:21:57 GMT
                                                  Content-Length: 5139
                                                  Data Raw: c7 ac c0 a4 d2 bb d6 c0 0d 0a c9 f1 c4 a7 c5 ad 0d 0a cd da b1 a6 c9 fa b4 e6 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 33 bc b6 b0 b5 d3 b0 bd e7 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 31 bc b6 b0 b5 d3 b0 bd e7 0d 0a cc ec c3 fc cb f9 b9 e9 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 32 0d 0a bb c3 cf eb d0 f2 d5 c2 0d 0a c2 de c0 bc d1 aa c3 cb 0d 0a e1 db b7 e5 d6 ae d5 bd 0d 0a d3 a2 c1 e9 c6 f5 d4 bc 0d 0a d4 ad c0 b4 ce d2 ce de b5 d0 c1 cb 0d 0a c6 eb cc ec b4 f3 ca a5 0d 0a c8 ab cb e6 bb fa 54 44 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 c7 e5 d7 f7 b1 d7 0d 0a b9 ad bc fd ca d6 d0 a1 cb fe b7 c0 d7 a8 cb a2 c8 a8 cf de 0d 0a c3 d8 be b3 c9 ad c1 d6 49 49 0d 0a ce d2 b6 c0 d7 d4 c9 fd bc b6 b8 df ca d6 cc d7 b2 cd 0d 0a ce d2 ce de b5 d0 c1 cb 0d 0a d0 c2 c9 f1 bd e7 c6 f5 d4 bc 32 0d 0a c9 f1 c4 a7 cd a8 cc ec bc c7 0d 0a c6 e5 c5 cc ce f7 d3 ce b8 df b4 ce ca fd 0d 0a c6 e5 c5 cc ce f7 d3 ce b5 cd b4 ce ca fd 0d 0a c9 a5 ca ac b3 b1 cf ae 0d 0a bd a3 d6 ae c0 b4 0d 0a ce d2 [TRUNCATED]
                                                  Data Ascii: 312TDII2TDBTORPG22I223ORPGT5ORPGTDII
                                                  Nov 20, 2024 09:21:57.474862099 CET224INData Raw: b9 ad ca d6 b4 f3 d7 f7 d5 bd cb e6 bb fa 54 34 d6 ae c7 b0 b5 c4 0d 0a b9 c5 b7 a8 b7 c0 ca d8 0d 0a b7 c5 c4 c1 d6 da c9 f1 0d 0a ce d2 d4 da c1 b7 b9 a6 b7 bf c0 ef ca ae cd f2 c4 ea 0d 0a b7 e8 bf f1 b5 c4 d0 a1 cd b5 0d 0a cb e6 bb fa d3 a2
                                                  Data Ascii: T4
                                                  Nov 20, 2024 09:21:57.474873066 CET1236INData Raw: 0d 0a ce d2 d2 aa b4 f2 bd a9 ca ac 0d 0a d2 bb c9 ed d1 fd d7 b0 0d 0a ce d2 c4 dc b4 b3 bc b8 b9 d8 0d 0a bf aa be d6 cb c0 c1 cb d2 bb cd f2 b4 ce 0d 0a bf aa cf e4 c9 fa b4 e6 0d 0a ca ae b5 ee d1 d6 c2 de 32 b2 e2 ca d4 0d 0a c6 e5 c5 cc ce
                                                  Data Ascii: 2II2T
                                                  Nov 20, 2024 09:21:57.474905968 CET152INData Raw: ae c3 fc d4 cb 0d 0a ca ae b5 ee d1 d6 c2 de 32 d7 a8 cb a2 c8 a8 cf de 0d 0a d0 a1 d0 a1 bd a3 ca a5 d7 a8 cb a2 c8 a8 cf de 0d 0a d2 bb c4 ee cd a8 cc ec d7 a8 cb a2 c8 a8 cf de 0d 0a cb c4 c9 fa ca d3 bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a b7 e7
                                                  Data Ascii: 2F3
                                                  Nov 20, 2024 09:21:57.474915981 CET1236INData Raw: cc a4 cb e9 c8 fd bd e7 d7 a8 cb a2 c8 a8 cf de 0d 0a bc b4 bd ab bd f8 bb af d7 a8 cb a2 c8 a8 cf de 0d 0a bd f8 bb af d2 bb cd b7 d6 ed d7 a8 cb a2 c8 a8 cf de 0d 0a d1 fd cd f5 b4 ab 0d 0a d6 c1 b8 df c9 f1 cd f5 0d 0a cb e9 bf d5 d6 f7 d4 d7
                                                  Data Ascii: 8.264FORPG
                                                  Nov 20, 2024 09:21:57.475052118 CET1236INData Raw: c4 a9 c8 d5 d6 ae b9 ad 0d 0a d3 d0 d6 b0 d7 aa c9 fa 0d 0a b7 e7 b1 a9 d5 bd bc c7 0d 0a d2 bb b0 d1 b9 ad 0d 0a cd f2 bb ea be f5 d0 d1 0d 0a d7 ee bf ec b5 c4 b5 b6 0d 0a ca d8 c1 cb b8 f6 cb fe 0d 0a d0 c2 d5 da cc ec d6 ae e1 db 0d 0a c4 a7
                                                  Data Ascii: X
                                                  Nov 20, 2024 09:22:04.017035961 CET164OUTGET /%E5%AD%98%E6%A1%A3/.txt HTTP/1.1
                                                  Accept: */*
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
                                                  Host: 42.193.100.57
                                                  Cache-Control: no-cache
                                                  Nov 20, 2024 09:22:04.425466061 CET1236INHTTP/1.1 404 Not Found
                                                  Content-Type: text/html
                                                  Server: Microsoft-IIS/8.5
                                                  Date: Wed, 20 Nov 2024 08:22:03 GMT
                                                  Content-Length: 1163
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=gb2312"/><title>404 - </title><style type="text/css">...body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}fieldset{padding:0 15px 10px 15px;} h1{font-size:2.4em;margin:0;color:#FFF;}h2{font-size:1.7em;margin:0;color:#CC0000;} h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} #header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;background-color:#555555;}#content{margin:0 0 0 2%;position:relative;}.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}--></style></head><body><div id="header"><h1></h1></div><div id="content"> <div class="content-container"><fieldset> [TRUNCATED]


                                                  Click to jump to process

                                                  Click to jump to process

                                                  Click to dive into process behavior distribution

                                                  Click to jump to process

                                                  Target ID:0
                                                  Start time:03:21:29
                                                  Start date:20/11/2024
                                                  Path:C:\Users\user\Desktop\208.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\208.exe"
                                                  Imagebase:0x400000
                                                  File size:5'218'304 bytes
                                                  MD5 hash:1303D1BB003A5CDBFBA7B1628760171B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  Target ID:6
                                                  Start time:03:21:48
                                                  Start date:20/11/2024
                                                  Path:C:\Users\user\Desktop\208.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\208.exe"
                                                  Imagebase:0x400000
                                                  File size:5'218'304 bytes
                                                  MD5 hash:1303D1BB003A5CDBFBA7B1628760171B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:false

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:6.9%
                                                    Dynamic/Decrypted Code Coverage:51.7%
                                                    Signature Coverage:36%
                                                    Total number of Nodes:662
                                                    Total number of Limit Nodes:24
                                                    execution_graph 22264 10027c00 GetProcessHeap HeapReAlloc HeapAlloc 22268 10027008 6 API calls 22269 10029610 FreeLibrary 22330 10026f15 21 API calls 22272 10027218 30 API calls 22273 10026c1e 22 API calls 22274 1001221f 70 API calls 22277 10026e2e 34 API calls 22335 10026f34 34 API calls 22336 10026d35 85 API calls 22280 100249fb 24 API calls 22281 10026c3d 21 API calls 21470 10027c40 21471 10027c86 21470->21471 21472 10027c4d 21470->21472 21473 10027c56 21472->21473 21474 10027c5b 21472->21474 21478 10027ae0 GetModuleHandleA 21473->21478 21474->21471 21476 10027c6b IsBadReadPtr 21474->21476 21476->21471 21477 10027c78 RtlFreeHeap 21476->21477 21477->21471 21478->21474 21842 52f817 21845 52f829 21842->21845 21846 52f826 21845->21846 21848 52f830 21845->21848 21848->21846 21849 52f855 21848->21849 21850 52f882 21849->21850 21853 52f8c5 21849->21853 21856 52f8b0 21850->21856 21867 536654 29 API calls 21850->21867 21852 52f934 RtlAllocateHeap 21863 52f8b7 21852->21863 21855 52f8e7 21853->21855 21853->21856 21854 52f898 21868 537c01 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 21854->21868 21870 536654 29 API calls 21855->21870 21856->21852 21856->21863 21858 52f8a3 21869 52f8bc LeaveCriticalSection 21858->21869 21861 52f8ee 21871 5386a4 6 API calls 21861->21871 21863->21848 21864 52f901 21872 52f91b LeaveCriticalSection 21864->21872 21866 52f90e 21866->21856 21866->21863 21867->21854 21868->21858 21869->21856 21870->21861 21871->21864 21872->21866 21899 52df18 GetVersion 21931 533f98 HeapCreate 21899->21931 21901 52df76 21902 52df83 21901->21902 21903 52df7b 21901->21903 21943 533d55 37 API calls 21902->21943 21951 52e045 8 API calls 21903->21951 21907 52df88 21908 52df94 21907->21908 21909 52df8c 21907->21909 21944 533b99 34 API calls 21908->21944 21952 52e045 8 API calls 21909->21952 21913 52df9e GetCommandLineA 21945 533a67 37 API calls 21913->21945 21915 52dfae 21953 53381a 49 API calls 21915->21953 21917 52dfb8 21946 533761 48 API calls 21917->21946 21919 52dfbd 21920 52dfc2 GetStartupInfoA 21919->21920 21947 533709 48 API calls 21920->21947 21922 52dfd4 21923 52dfdd 21922->21923 21924 52dfe6 GetModuleHandleA 21923->21924 21948 53d87e 21924->21948 21928 52e001 21955 533591 36 API calls 21928->21955 21930 52e012 21932 533fb8 21931->21932 21933 533fee 21931->21933 21956 533e50 57 API calls 21932->21956 21933->21901 21935 533fbd 21936 533fc7 21935->21936 21937 533fd4 21935->21937 21957 537865 HeapAlloc 21936->21957 21939 533ff1 21937->21939 21958 5383ac HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 21937->21958 21939->21901 21941 533fd1 21941->21939 21942 533fe2 HeapDestroy 21941->21942 21942->21933 21943->21907 21944->21913 21945->21915 21946->21919 21947->21922 21959 5460db 21948->21959 21953->21917 21954 5326c4 32 API calls 21954->21928 21955->21930 21956->21935 21957->21941 21958->21941 21970 544e3c 21959->21970 21967 52dff8 21967->21954 21968 546122 21998 54b11f 68 API calls 21968->21998 21999 549a35 21970->21999 21973 549a0f 65 API calls 21974 544e4d 21973->21974 21975 549a0f 21974->21975 21976 549f97 65 API calls 21975->21976 21977 549a1e 21976->21977 21978 5460ed 21977->21978 22028 54a02c 21977->22028 21980 54a860 SetErrorMode SetErrorMode 21978->21980 21981 549a0f 65 API calls 21980->21981 21982 54a877 21981->21982 21983 549a0f 65 API calls 21982->21983 21984 54a886 21983->21984 21985 54a8ac 21984->21985 22036 54a8c3 21984->22036 21987 549a0f 65 API calls 21985->21987 21988 54a8b1 21987->21988 21989 546105 21988->21989 22055 544e51 21988->22055 21989->21968 21991 53ff3e 21989->21991 21993 53ff53 21991->21993 21996 53ff4a 21991->21996 21992 53ff5b 22079 52dd9c 21992->22079 21993->21992 21995 53ff9a 21993->21995 22086 53fe12 29 API calls 21995->22086 21996->21968 21998->21967 22000 549a0f 65 API calls 21999->22000 22001 549a3a 22000->22001 22004 549f97 22001->22004 22005 549fa0 22004->22005 22006 549fcd TlsGetValue 22004->22006 22012 549fba 22005->22012 22025 549b97 65 API calls 22005->22025 22008 549fe0 22006->22008 22009 544e41 22008->22009 22010 549ff3 22008->22010 22009->21973 22009->21974 22026 549d9f 65 API calls 22010->22026 22015 549c30 EnterCriticalSection 22012->22015 22013 549fcb 22013->22006 22016 549c4f 22015->22016 22018 549d0b 22016->22018 22019 549c9c GlobalHandle GlobalUnlock GlobalReAlloc 22016->22019 22020 549c89 GlobalAlloc 22016->22020 22017 549d20 LeaveCriticalSection 22017->22013 22018->22017 22021 549cbe 22019->22021 22020->22021 22022 549ce7 GlobalLock 22021->22022 22023 549ccc GlobalHandle GlobalLock LeaveCriticalSection 22021->22023 22022->22018 22027 53e121 65 API calls __EH_prolog 22023->22027 22025->22012 22026->22009 22027->22022 22029 54a036 __EH_prolog 22028->22029 22030 54a064 22029->22030 22034 54acdc 6 API calls 22029->22034 22030->21978 22032 54a04d 22035 54ad4c LeaveCriticalSection 22032->22035 22034->22032 22035->22030 22037 549a0f 65 API calls 22036->22037 22038 54a8d6 GetModuleFileNameA 22037->22038 22066 52fee7 29 API calls 22038->22066 22040 54a908 22067 54a9e0 lstrlenA lstrcpynA 22040->22067 22042 54a924 22043 54a93a 22042->22043 22072 53266c 29 API calls 22042->22072 22044 54a974 22043->22044 22068 5459c1 22043->22068 22047 54a98c lstrcpyA 22044->22047 22048 54a9a7 22044->22048 22074 53266c 29 API calls 22047->22074 22051 54a9b6 lstrcatA 22048->22051 22052 54a9d4 22048->22052 22075 53266c 29 API calls 22051->22075 22052->21985 22056 549a0f 65 API calls 22055->22056 22057 544e56 22056->22057 22065 544eae 22057->22065 22076 5497d8 22057->22076 22060 54a02c 7 API calls 22061 544e8c 22060->22061 22062 549a0f 65 API calls 22061->22062 22064 544e99 22061->22064 22062->22064 22063 549f97 65 API calls 22063->22065 22064->22063 22065->21989 22066->22040 22067->22042 22069 549a0f 65 API calls 22068->22069 22070 5459c7 LoadStringA 22069->22070 22071 5459e2 22070->22071 22073 53266c 29 API calls 22071->22073 22072->22043 22073->22044 22074->22048 22075->22052 22077 549f97 65 API calls 22076->22077 22078 544e62 GetCurrentThreadId SetWindowsHookExA 22077->22078 22078->22060 22087 531784 22079->22087 22081 52dda6 EnterCriticalSection 22082 52ddc4 22081->22082 22083 52ddf5 LeaveCriticalSection 22081->22083 22088 53f8fb 29 API calls 22082->22088 22083->21996 22085 52ddd6 22085->22083 22086->21996 22087->22081 22088->22085 22341 4cd100 HeapFree 21479 10027a50 21480 10027a61 21479->21480 21481 10027a8a 21479->21481 21480->21481 21482 10027a64 21480->21482 21497 10026b52 ReleaseMutex 21481->21497 21491 10027aa0 GetProcessHeap 21482->21491 21486 10027a9b 21490 10027a85 21492 10027a6f 21491->21492 21493 10029790 21492->21493 21498 10027474 21493->21498 21496 10026b52 ReleaseMutex 21496->21490 21497->21486 21499 1002747c 21498->21499 21502 10018a96 21499->21502 21501 10027481 21501->21496 21503 10018aab 21502->21503 21506 10018ad3 21503->21506 21505 10018ab0 21505->21501 21507 10018aee 21506->21507 21553 10018eea CreateMutexA 21507->21553 21509 10018af3 21510 10018eea CreateMutexA 21509->21510 21511 10018afd HeapCreate 21510->21511 21512 10018b23 21511->21512 21513 10018b3a HeapCreate 21511->21513 21512->21513 21514 10018b60 21513->21514 21555 1000188f 21514->21555 21516 10018bc0 21561 1000b61e 21516->21561 21518 10018bdc 21519 1000188f 17 API calls 21518->21519 21520 10018c3b 21519->21520 21521 1000b61e 7 API calls 21520->21521 21522 10018c57 21521->21522 21523 1000188f 17 API calls 21522->21523 21524 10018cb6 21523->21524 21525 1000b61e 7 API calls 21524->21525 21526 10018cd2 21525->21526 21527 1000188f 17 API calls 21526->21527 21528 10018d31 21527->21528 21529 1000b61e 7 API calls 21528->21529 21530 10018d4d 21529->21530 21531 1000188f 17 API calls 21530->21531 21532 10018dac 21531->21532 21533 1000b61e 7 API calls 21532->21533 21534 10018dc8 21533->21534 21567 1000710e 21534->21567 21536 10018df2 21577 10018f34 21536->21577 21538 10018dfc 21591 100191e3 21538->21591 21540 10018e06 21603 1000ff10 21540->21603 21542 10018e37 21612 100114f9 21542->21612 21544 10018e43 21545 1000ff10 18 API calls 21544->21545 21546 10018e8f 21545->21546 21547 100114f9 18 API calls 21546->21547 21548 10018e9b 21547->21548 21618 10019f4c 21548->21618 21552 10018ecc 21552->21505 21554 10018f14 21553->21554 21554->21509 21560 100018bd 21555->21560 21556 10001ac2 21629 100283f0 21556->21629 21559 10001ae8 21559->21516 21560->21556 21656 10028090 _CIfmod 21560->21656 21562 1000b631 21561->21562 21668 1000b75c 21562->21668 21564 1000b65c 21565 1000b6cb LdrGetDllHandleEx 21564->21565 21566 1000b6ee 21565->21566 21566->21518 21568 10007121 21567->21568 21569 100071de GetVersionExA 21568->21569 21570 10007273 21569->21570 21691 10027ca0 21570->21691 21572 100072d2 21573 10007362 GetSystemInfo 21572->21573 21576 100074c6 21572->21576 21574 100073f5 21573->21574 21575 10007495 RtlGetNtVersionNumbers 21574->21575 21575->21576 21576->21536 21578 10018f4e 21577->21578 21580 10018f7e 21578->21580 21699 100289c0 21578->21699 21580->21538 21581 10018fad 21582 1000b61e 7 API calls 21581->21582 21583 10019053 21582->21583 21584 1000188f 17 API calls 21583->21584 21585 10019077 21584->21585 21586 10019081 21585->21586 21704 10006051 LdrGetProcedureAddress 21586->21704 21588 1001918a 21588->21580 21589 100190a4 21589->21588 21705 10001d56 IsBadCodePtr 21589->21705 21592 10019205 21591->21592 21593 10019212 21592->21593 21707 100188e1 21592->21707 21593->21540 21595 10019221 21712 100193c2 21595->21712 21597 100192bd 21598 100193c2 38 API calls 21597->21598 21599 10019331 21598->21599 21732 100198cc 25 API calls 21599->21732 21601 1001936a 21733 100198cc 25 API calls 21601->21733 21755 10027f20 21603->21755 21605 1000ff39 21606 10027f20 4 API calls 21605->21606 21607 1000ff58 21606->21607 21608 1000ffe0 RtlComputeCrc32 21607->21608 21609 10010003 21608->21609 21768 10010057 21609->21768 21611 10010034 21611->21542 21613 1001150f 21612->21613 21614 10011520 21612->21614 21615 1000188f 17 API calls 21613->21615 21616 10001d56 IsBadCodePtr 21614->21616 21615->21614 21617 1001161a 21616->21617 21617->21544 21619 10018ec7 21618->21619 21620 10019f74 21618->21620 21628 1001a236 47 API calls 21619->21628 21791 10019ff3 21620->21791 21624 10019fd3 21800 10007fdd 21624->21800 21626 10019fa2 21626->21624 21627 1001a0ce 21 API calls 21626->21627 21627->21626 21628->21552 21630 10028478 21629->21630 21638 1002840f 21629->21638 21631 10028483 21630->21631 21632 10028574 21630->21632 21633 10028489 21631->21633 21634 1002854f sprintf 21631->21634 21635 100285f2 21632->21635 21636 1002857b 21632->21636 21637 10028674 21633->21637 21645 10028517 21633->21645 21646 100284f9 21633->21646 21647 1002849e 21633->21647 21648 1002858f sprintf 21633->21648 21634->21647 21641 1002862a sprintf 21635->21641 21642 100285f9 21635->21642 21639 100285ce sprintf 21636->21639 21640 1002857d 21636->21640 21637->21559 21638->21637 21657 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21638->21657 21639->21647 21649 10028584 21640->21649 21650 100285ae sprintf 21640->21650 21641->21647 21642->21637 21643 10028604 sprintf 21642->21643 21643->21647 21659 10029dc0 6 API calls 21645->21659 21658 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21646->21658 21647->21637 21660 10027bb0 21647->21660 21648->21647 21649->21637 21649->21648 21650->21647 21653 10028469 21653->21559 21654 10028508 21654->21559 21656->21560 21657->21653 21658->21654 21659->21647 21661 10027bc4 RtlAllocateHeap 21660->21661 21662 10027bb9 GetProcessHeap 21660->21662 21663 10027bf5 21661->21663 21664 10027bd9 MessageBoxA 21661->21664 21662->21661 21663->21637 21667 10027b10 ExitProcess 21664->21667 21666 10027bf2 21666->21663 21667->21666 21669 1000b76f 21668->21669 21672 1000210d 21669->21672 21671 1000b7c1 21671->21564 21673 1000212e 21672->21673 21674 10002149 MultiByteToWideChar 21673->21674 21675 10002178 21674->21675 21677 100021b9 21675->21677 21684 100280c0 21675->21684 21677->21671 21678 100021dc 21679 1000220e MultiByteToWideChar 21678->21679 21680 10002239 21679->21680 21680->21677 21689 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21680->21689 21682 100022ce 21682->21677 21690 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21682->21690 21685 100280c9 21684->21685 21686 100280cd 21684->21686 21685->21678 21687 10027bb0 4 API calls 21686->21687 21688 100280d6 21687->21688 21688->21678 21689->21682 21690->21677 21692 10027cb1 21691->21692 21695 10027cb6 21691->21695 21698 10027ae0 GetModuleHandleA 21692->21698 21694 10027d14 21694->21572 21695->21694 21696 10027bb0 4 API calls 21695->21696 21697 10027cf9 21696->21697 21697->21572 21698->21695 21700 100289c9 21699->21700 21701 100289cd 21699->21701 21700->21581 21702 10027bb0 4 API calls 21701->21702 21703 100289d8 21702->21703 21703->21581 21704->21589 21706 10001d82 21705->21706 21706->21588 21708 100289c0 4 API calls 21707->21708 21709 1001890c 21708->21709 21710 10018926 GetSystemDirectoryA 21709->21710 21711 10018944 21710->21711 21711->21595 21713 100193ea 21712->21713 21734 100294c0 21713->21734 21715 10019463 21716 1001947d CopyFileA 21715->21716 21717 100194a0 21716->21717 21741 10028d40 CreateFileA 21717->21741 21719 100194da 21720 10028d40 8 API calls 21719->21720 21721 10019550 21719->21721 21720->21721 21746 10028e50 DeleteFileA 21721->21746 21723 1001959d 21747 10006495 21723->21747 21725 100195b3 21726 100195e3 RtlAllocateHeap 21725->21726 21729 10019832 21725->21729 21727 1001960e 21726->21727 21753 10008edd 26 API calls 21727->21753 21729->21597 21731 1001966e 21754 100094fb 26 API calls 21731->21754 21732->21601 21733->21593 21735 100294d1 GetTempPathA 21734->21735 21736 100294e5 21734->21736 21735->21736 21737 10029543 GetTickCount wsprintfA PathFileExistsA 21736->21737 21737->21737 21738 1002956b 21737->21738 21739 10027bb0 4 API calls 21738->21739 21740 1002957f 21739->21740 21740->21715 21742 10028d64 GetFileSize 21741->21742 21743 10028da9 21741->21743 21744 10027bb0 4 API calls 21742->21744 21743->21719 21745 10028d7d ReadFile CloseHandle 21744->21745 21745->21743 21746->21723 21748 100064ad 21747->21748 21749 1000652f RtlMoveMemory 21748->21749 21752 1000679e 21748->21752 21750 10006669 21749->21750 21751 10027ca0 5 API calls 21750->21751 21751->21752 21752->21725 21753->21731 21754->21729 21756 10027f40 21755->21756 21758 10027f80 21756->21758 21759 10027f4c 21756->21759 21757 10027feb 21757->21605 21758->21757 21760 10027fc2 21758->21760 21761 10027f9b 21758->21761 21776 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21759->21776 21778 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21760->21778 21777 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21761->21777 21764 10027fb8 21764->21605 21765 10027f76 21765->21605 21767 10027fe1 21767->21605 21769 1001006f 21768->21769 21770 100283f0 16 API calls 21769->21770 21771 10010097 21770->21771 21779 10028ad0 21771->21779 21773 100100cc 21786 10028b30 21773->21786 21775 10010173 21775->21611 21776->21765 21777->21764 21778->21767 21780 10028b23 21779->21780 21781 10028ae4 21779->21781 21780->21773 21781->21780 21782 10027bb0 4 API calls 21781->21782 21783 10028afa 21782->21783 21784 10028b05 strncpy 21783->21784 21785 10028b19 21783->21785 21784->21784 21784->21785 21785->21773 21787 10028b91 21786->21787 21788 10028b45 21786->21788 21787->21775 21788->21787 21789 10027bb0 4 API calls 21788->21789 21790 10028b68 21789->21790 21790->21775 21792 1001a00d 21791->21792 21805 1001a031 21792->21805 21795 1001a0ce 21796 10027f20 4 API calls 21795->21796 21797 1001a0f7 21796->21797 21820 1001a199 21797->21820 21799 1001a16d 21799->21626 21801 100280c0 4 API calls 21800->21801 21802 1000800f 21801->21802 21831 10007db8 21802->21831 21804 10008052 21804->21619 21806 1001a047 21805->21806 21807 1001a0a1 21805->21807 21808 1000188f 17 API calls 21806->21808 21815 10004b1b 21807->21815 21810 1001a058 21808->21810 21819 100031b3 6 API calls 21810->21819 21811 10019f88 21811->21619 21811->21795 21813 1001a074 21814 1001a087 InterlockedExchange 21813->21814 21814->21807 21816 10004b3d 21815->21816 21817 10004b2e 21815->21817 21816->21817 21818 10004baa LdrInitializeThunk 21816->21818 21817->21811 21818->21811 21819->21813 21821 1001a1af 21820->21821 21828 1001a209 21820->21828 21823 1000188f 17 API calls 21821->21823 21822 10004b1b LdrInitializeThunk 21824 1001a22b 21822->21824 21825 1001a1c0 21823->21825 21824->21799 21830 100031b3 6 API calls 21825->21830 21827 1001a1ef InterlockedExchange 21827->21828 21828->21822 21829 1001a1dc 21829->21827 21830->21829 21832 10007dce 21831->21832 21840 10007e28 21831->21840 21833 1000188f 17 API calls 21832->21833 21835 10007ddf 21833->21835 21834 10004b1b LdrInitializeThunk 21836 10007e4a 21834->21836 21841 100031b3 6 API calls 21835->21841 21836->21804 21838 10007dfb 21839 10007e0e InterlockedExchange 21838->21839 21839->21840 21840->21834 21841->21838 22285 10027050 62 API calls 22342 10011753 DispatchMessageA CallWindowProcA 22345 54930d 65 API calls __EH_prolog 22196 4ccb10 22199 4ccaf0 22196->22199 22202 4c4840 22199->22202 22201 4ccb01 22203 4c486b 22202->22203 22204 4c4903 22202->22204 22205 4c488a 22203->22205 22210 4c4893 GetProcAddress 22203->22210 22209 4c4931 22204->22209 22225 4c4b9c 22204->22225 22257 52eba8 6 API calls 22204->22257 22254 52eba8 6 API calls 22205->22254 22219 4c495c 22209->22219 22221 4c4a6f 22209->22221 22211 4c48d5 22210->22211 22212 4c48b3 22210->22212 22256 4c4820 35 API calls 22211->22256 22255 4c4c10 70 API calls 22212->22255 22214 4c48ed 22214->22201 22215 4c4a74 LoadLibraryA 22217 4c4a84 GetProcAddress 22215->22217 22215->22221 22217->22221 22218 4c4a3a LoadLibraryA 22220 4c4aca 22218->22220 22226 4c4a47 GetProcAddress 22218->22226 22219->22218 22222 4c4988 22219->22222 22223 4c49b0 22219->22223 22220->22225 22228 4c4adf FreeLibrary 22220->22228 22229 4c4ae6 22220->22229 22221->22215 22221->22220 22224 4c4ab6 FreeLibrary 22221->22224 22227 54031a 32 API calls 22222->22227 22248 54031a 22223->22248 22224->22221 22225->22201 22226->22220 22231 4c4a57 22226->22231 22232 4c4994 LoadLibraryA 22227->22232 22228->22229 22236 4c4b4a 22229->22236 22237 4c4af7 22229->22237 22231->22220 22234 4c49a4 22232->22234 22233 4c49c6 22235 54031a 32 API calls 22233->22235 22234->22223 22234->22226 22238 4c49da LoadLibraryA 22235->22238 22259 4c4c10 70 API calls 22236->22259 22258 4c4c10 70 API calls 22237->22258 22241 4c49ea 22238->22241 22241->22226 22244 4c4a32 22241->22244 22245 54031a 32 API calls 22241->22245 22242 4c4b75 22242->22201 22243 4c4b23 22243->22201 22244->22218 22244->22226 22246 4c4a22 LoadLibraryA 22245->22246 22247 5400d1 22246->22247 22247->22244 22249 540324 __EH_prolog 22248->22249 22250 540343 lstrlenA 22249->22250 22251 54033f 22249->22251 22250->22251 22260 540276 22251->22260 22253 540361 22253->22233 22254->22210 22255->22211 22256->22214 22257->22209 22258->22243 22259->22242 22261 540290 22260->22261 22262 54028a 22260->22262 22261->22253 22263 53ff3e 31 API calls 22262->22263 22263->22261 21873 53fe3b 21876 52f72e 21873->21876 21877 52f808 21876->21877 21878 52f75c 21876->21878 21879 52f7a1 21878->21879 21880 52f766 21878->21880 21892 52f792 21879->21892 21896 536654 29 API calls 21879->21896 21893 536654 29 API calls 21880->21893 21882 52f7fa RtlFreeHeap 21882->21877 21884 52f76d 21885 52f787 21884->21885 21894 5378d8 VirtualFree VirtualFree HeapFree 21884->21894 21895 52f798 LeaveCriticalSection 21885->21895 21886 52f7d9 21898 52f7f0 LeaveCriticalSection 21886->21898 21887 52f7ad 21887->21886 21897 53865f VirtualFree HeapFree VirtualFree 21887->21897 21892->21877 21892->21882 21893->21884 21894->21885 21895->21892 21896->21887 21897->21886 21898->21892 22289 1002706f 46 API calls 22349 10026d73 88 API calls 22350 10026b71 23 API calls 22352 1002572d 23 API calls 22291 10026c7b HeapAlloc 22354 10026f7c 45 API calls 22294 5326d5 32 API calls 22295 1002708e 33 API calls 22358 10027192 59 API calls 22361 10026f9b 23 API calls 22298 10026e99 89 API calls 22089 4cced0 22092 4c68d0 22089->22092 22091 4ccef5 22093 4c690c 22092->22093 22094 4c6910 22093->22094 22096 4c6922 22093->22096 22168 4c4c10 70 API calls 22094->22168 22097 4c6954 22096->22097 22098 4c6acc 22096->22098 22099 4c6a7f 22097->22099 22100 4c6a31 22097->22100 22101 4c69e2 22097->22101 22102 4c6983 22097->22102 22120 4c6c56 22097->22120 22121 4c6b64 22097->22121 22122 4c6d60 22097->22122 22126 4c691d 22097->22126 22103 4c6b10 IsWindow 22098->22103 22117 4c6b26 22098->22117 22108 4c6ab7 22099->22108 22109 4c6aa2 22099->22109 22099->22126 22106 4c6a6a 22100->22106 22107 4c6a55 22100->22107 22100->22126 22104 4c6a1c 22101->22104 22105 4c6a07 22101->22105 22101->22126 22169 52ecf4 29 API calls 22102->22169 22103->22117 22172 4c67d0 51 API calls 22104->22172 22171 4c67d0 51 API calls 22105->22171 22174 4c67d0 51 API calls 22106->22174 22173 4c67d0 51 API calls 22107->22173 22176 4c67d0 51 API calls 22108->22176 22175 4c67d0 51 API calls 22109->22175 22118 4c7139 22117->22118 22119 4c6b52 22117->22119 22130 4c7153 22118->22130 22187 4c4c10 70 API calls 22118->22187 22119->22120 22119->22121 22119->22122 22119->22126 22124 4c6ca5 GetWindowRect 22120->22124 22120->22126 22125 4c6bbd GetWindowRect GetParent 22121->22125 22121->22126 22122->22126 22135 4c6e04 22122->22135 22136 4c6df5 22122->22136 22128 4c6ce4 22124->22128 22129 4c6cc6 22124->22129 22177 541ad4 66 API calls 22125->22177 22126->22091 22127 4c699d 22127->22126 22170 4c67d0 51 API calls 22127->22170 22182 54445b SetWindowPos 22128->22182 22181 54445b SetWindowPos 22129->22181 22132 4c73d0 22130->22132 22150 4c728f 22130->22150 22155 4c7188 22130->22155 22132->22155 22189 4ce910 70 API calls 22132->22189 22140 4c6f8a 22135->22140 22164 4c6e29 22135->22164 22183 5444aa 22136->22183 22137 4c6be0 22141 4c6c00 22137->22141 22178 544342 GetWindowLongA 22137->22178 22186 4c2d90 87 API calls 22140->22186 22180 54441a MoveWindow 22141->22180 22145 4c6bed 22145->22141 22179 54690e GetWindowLongA ScreenToClient ScreenToClient 22145->22179 22146 4c74d3 IsWindow 22146->22126 22148 4c74de 22146->22148 22148->22126 22152 4c74f2 22148->22152 22151 4c72c6 GetStockObject GetObjectA 22150->22151 22153 4c72b5 22150->22153 22151->22153 22190 4c4300 PeekMessageA 22152->22190 22153->22155 22188 4ce910 70 API calls 22153->22188 22155->22126 22155->22146 22159 4c751f 22160 4c4300 67 API calls 22159->22160 22162 4c7526 22160->22162 22161 4c6f71 22161->22126 22163 5444aa ShowWindow 22161->22163 22162->22126 22163->22126 22164->22126 22164->22161 22165 4c6ed4 IsWindow 22164->22165 22165->22161 22167 4c6ee6 22165->22167 22166 4b4fe0 SendMessageA 22166->22167 22167->22164 22167->22166 22168->22126 22169->22127 22170->22126 22171->22126 22172->22126 22173->22126 22174->22126 22175->22126 22176->22126 22177->22137 22178->22145 22179->22141 22180->22126 22181->22126 22182->22126 22184 5444c0 22183->22184 22185 5444b1 ShowWindow 22183->22185 22184->22126 22185->22184 22186->22126 22187->22130 22188->22155 22189->22155 22191 4c431d 22190->22191 22192 4c4343 22190->22192 22191->22192 22193 544e3c 65 API calls 22191->22193 22194 4c4330 PeekMessageA 22191->22194 22195 4c4360 105 API calls 22192->22195 22193->22191 22194->22191 22194->22192 22195->22159 22301 100274b1 10 API calls 22303 1002a472 __CxxFrameHandler 22304 10026eb8 90 API calls 22305 10026cb9 23 API calls 22309 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22368 10026dc5 30 API calls 22371 10026bd6 25 API calls 22372 530d84 RtlUnwind 22314 100270d8 28 API calls 22315 10026cd8 22 API calls 22317 4cce90 70 API calls 22375 10026de4 84 API calls 22379 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 22380 100293f0 ??3@YAXPAX 22322 10026ef6 75 API calls 22323 10026cf7 43 API calls 22324 4cceb0 83 API calls

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 412 4c4840-4c4865 413 4c486b-4c4876 412->413 414 4c4903-4c4912 412->414 415 4c4878-4c4882 413->415 416 4c4885-4c4888 413->416 417 4c4bbf-4c4bd0 414->417 418 4c4918-4c4928 414->418 415->416 419 4c489d 416->419 420 4c488a-4c489b call 52eba8 416->420 421 4c4939-4c4956 call 4b1e40 418->421 422 4c492a-4c4934 call 52eba8 418->422 425 4c489f-4c48b1 GetProcAddress 419->425 420->425 434 4c495c-4c496f call 52fbc0 421->434 435 4c4a6f 421->435 422->421 429 4c48e6-4c4900 call 4c4820 425->429 430 4c48b3-4c48e1 call 4cdfd0 call 4c4c10 call 5400d1 425->430 430->429 445 4c4a3a-4c4a41 LoadLibraryA 434->445 446 4c4975-4c4986 434->446 437 4c4a74-4c4a82 LoadLibraryA 435->437 442 4c4abf-4c4ac8 437->442 443 4c4a84-4c4a92 GetProcAddress 437->443 442->437 447 4c4aca-4c4ad5 442->447 448 4c4aaa-4c4ab4 443->448 449 4c4a94-4c4a9f 443->449 445->447 457 4c4a47-4c4a55 GetProcAddress 445->457 452 4c4988-4c49a6 call 54031a LoadLibraryA call 5400d1 446->452 453 4c49b0-4c49fd call 54031a * 2 LoadLibraryA call 5400d1 * 2 446->453 455 4c4b9c-4c4b9e 447->455 456 4c4adb-4c4add 447->456 448->447 454 4c4ab6-4c4abd FreeLibrary 448->454 449->448 450 4c4aa1-4c4aa7 449->450 450->448 452->457 478 4c49ac 452->478 453->457 490 4c49ff-4c4a10 453->490 454->442 462 4c4bb6-4c4bbc 455->462 463 4c4ba0-4c4bab 455->463 459 4c4adf-4c4ae0 FreeLibrary 456->459 460 4c4ae6-4c4af5 call 4b1e40 456->460 457->447 464 4c4a57-4c4a62 457->464 459->460 474 4c4b4a-4c4b99 call 4cdfd0 call 4c4c10 call 5400d1 460->474 475 4c4af7-4c4b47 call 4cdfd0 call 4c4c10 call 5400d1 460->475 462->417 463->462 468 4c4bad-4c4bb3 463->468 464->447 469 4c4a64-4c4a6d 464->469 468->462 469->447 478->453 494 4c4a32-4c4a34 490->494 495 4c4a12-4c4a2d call 54031a LoadLibraryA call 5400d1 490->495 494->457 498 4c4a36 494->498 495->494 498->445
                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,007E85F4), ref: 004C48A7
                                                    • LoadLibraryA.KERNEL32(?,?,007F8FD8), ref: 004C4997
                                                    • LoadLibraryA.KERNEL32(?,?), ref: 004C49DD
                                                    • LoadLibraryA.KERNEL32(?,?,007F8EE0,?), ref: 004C4A25
                                                    • LoadLibraryA.KERNEL32(?), ref: 004C4A3B
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004C4A4D
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004C4AE0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressProc$Free
                                                    • String ID:
                                                    • API String ID: 3120990465-0
                                                    • Opcode ID: 8298aec99bd1bcd66cc67a374f409ded6481a5c15f9d9f2f8c1356aa279f3409
                                                    • Instruction ID: 21065c7f70eb81fa8e5161ede46cc0628d0d0314e5cbb0618be4e4c6caa86c13
                                                    • Opcode Fuzzy Hash: 8298aec99bd1bcd66cc67a374f409ded6481a5c15f9d9f2f8c1356aa279f3409
                                                    • Instruction Fuzzy Hash: 21A1E079A00702ABD350DF24C8A5FABB7A4FFD8314F044A2EF91597341DB38E9058BA5

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 897 10027bb0-10027bb7 898 10027bc4-10027bd7 RtlAllocateHeap 897->898 899 10027bb9-10027bbf GetProcessHeap 897->899 900 10027bf5-10027bf8 898->900 901 10027bd9-10027bf2 MessageBoxA call 10027b10 898->901 899->898 901->900
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                    • RtlAllocateHeap.NTDLL(00A80000,00000008,?,?,10028674), ref: 10027BCD
                                                    • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocateMessageProcess
                                                    • String ID: error
                                                    • API String ID: 2992861138-1574812785
                                                    • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                    • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                    • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                    • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 909 100193c2-10019472 call 1002748d * 3 call 100294c0 918 10019474-1001947a call 10027487 909->918 919 1001947d-1001949e CopyFileA 909->919 918->919 921 100194a0-100194b4 call 10027499 919->921 922 100194b7-100194c3 919->922 921->922 925 100194c5 922->925 926 100194ca-100194e9 call 10028d40 922->926 925->926 930 100194f4-10019504 926->930 931 100194eb-100194f1 call 10027487 926->931 933 10019506 930->933 934 1001950b-10019525 call 10028000 930->934 931->930 933->934 938 1001952b-10019539 934->938 939 1001956e-10019586 call 1000241a 934->939 941 10019540-1001955f call 10028d40 938->941 942 1001953b 938->942 945 10019588 939->945 946 1001958d-100195b5 call 10028e50 call 10006495 939->946 949 10019561-10019567 call 10027487 941->949 950 1001956a-1001956b 941->950 942->941 945->946 956 100195d6 946->956 957 100195bb-100195c9 946->957 949->950 950->939 959 100195db-100195dd 956->959 957->956 958 100195cf-100195d4 957->958 958->959 960 100195e3-1001960c RtlAllocateHeap 959->960 961 10019832-10019840 959->961 962 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 960->962 963 1001960e-10019622 call 10027499 960->963 967 10019842-10019848 call 10027487 961->967 968 1001984b-10019850 961->968 995 10019689-10019691 962->995 963->962 967->968 972 10019852-10019858 call 10027487 968->972 973 1001985b-10019882 call 10027487 * 2 968->973 972->973 985 10019895 973->985 986 10019884 973->986 989 1001989b-100198bb call 10027487 * 2 985->989 990 100198bd-100198c9 call 10027487 985->990 988 10019886-1001988a 986->988 992 10019891-10019893 988->992 993 1001988c-1001988f 988->993 989->990 992->985 993->988 998 10019822-1001982d call 100094fb 995->998 999 10019697-100196a5 call 10001000 995->999 998->961 1006 100196a7-100196bb call 10027499 999->1006 1007 100196be-100196c2 999->1007 1006->1007 1009 100196c4-100196d8 call 10027499 1007->1009 1010 100196db-10019736 call 10001b27 call 10001000 1007->1010 1009->1010 1018 10019738-1001974c call 10027499 1010->1018 1019 1001974f-10019753 1010->1019 1018->1019 1020 10019755-10019769 call 10027499 1019->1020 1021 1001976c-100197c7 call 10001b27 call 10001000 1019->1021 1020->1021 1030 100197e0-100197e4 1021->1030 1031 100197c9-100197dd call 10027499 1021->1031 1033 100197e6-100197fa call 10027499 1030->1033 1034 100197fd-1001981d call 10007b67 1030->1034 1031->1030 1033->1034 1034->995
                                                    APIs
                                                      • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                      • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                      • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                      • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                    • String ID: @
                                                    • API String ID: 183890193-2766056989
                                                    • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                    • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                    • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                    • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1055 1000710e-10007271 call 1002748d * 5 GetVersionExA 1066 10007273-10007287 call 10027499 1055->1066 1067 1000728a-100072e2 call 10027ca0 1055->1067 1066->1067 1072 100072f3-100072f9 1067->1072 1073 100072e4 1067->1073 1075 10007300-1000734b call 10027487 1072->1075 1076 100072fb 1072->1076 1074 100072e6-100072ea 1073->1074 1077 100072f1 1074->1077 1078 100072ec-100072ef 1074->1078 1081 10007351-100073f3 call 1002748d GetSystemInfo 1075->1081 1082 100077ad-100077b2 1075->1082 1076->1075 1077->1072 1078->1074 1088 100073f5-10007409 call 10027499 1081->1088 1089 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 1081->1089 1083 100077b7-100077f1 call 10027487 * 4 1082->1083 1088->1089 1096 100074c6-100074da call 10027499 1089->1096 1097 100074dd-10007520 1089->1097 1096->1097 1100 10007552-10007556 1097->1100 1101 10007526-1000752a 1097->1101 1107 10007630-10007634 1100->1107 1108 1000755c-10007560 1100->1108 1104 10007530-10007534 1101->1104 1105 1000754d 1101->1105 1111 10007546 1104->1111 1112 1000753a-10007541 1104->1112 1114 100077a5-100077a8 1105->1114 1109 1000778a-1000778e 1107->1109 1110 1000763a-1000763e 1107->1110 1115 10007591-10007595 1108->1115 1116 10007566-10007574 1108->1116 1109->1114 1121 10007794-10007798 1109->1121 1119 10007650-10007654 1110->1119 1120 10007644-1000764b 1110->1120 1111->1105 1112->1105 1114->1083 1117 100075c6-100075ca 1115->1117 1118 1000759b-100075a9 1115->1118 1122 10007584 1116->1122 1123 1000757a-1000757f 1116->1123 1128 100075d0-100075de 1117->1128 1129 100075fb-100075ff 1117->1129 1124 100075b9 1118->1124 1125 100075af-100075b4 1118->1125 1126 10007785 1119->1126 1127 1000765a-1000766f 1119->1127 1120->1126 1121->1114 1130 1000779e 1121->1130 1131 10007589-1000758c 1122->1131 1123->1131 1133 100075be-100075c1 1124->1133 1125->1133 1126->1114 1141 10007671-10007685 call 10027499 1127->1141 1142 10007688-1000768f 1127->1142 1134 100075e4-100075e9 1128->1134 1135 100075ee 1128->1135 1132 1000762b 1129->1132 1136 10007605-10007613 1129->1136 1130->1114 1131->1132 1132->1114 1133->1132 1138 100075f3-100075f6 1134->1138 1135->1138 1139 10007623 1136->1139 1140 10007619-1000761e 1136->1140 1138->1132 1143 10007628 1139->1143 1140->1143 1141->1142 1145 100076a1-100076a5 1142->1145 1146 10007695-1000769c 1142->1146 1143->1132 1148 100076c7 1145->1148 1149 100076ab-100076ba 1145->1149 1146->1126 1150 100076cc-100076ce 1148->1150 1149->1148 1151 100076c0-100076c5 1149->1151 1152 100076e0-1000771d call 10028950 1150->1152 1153 100076d4-100076db 1150->1153 1151->1150 1156 10007723-1000772a 1152->1156 1157 1000772f-1000776c call 10028950 1152->1157 1153->1126 1156->1126 1160 10007772-10007779 1157->1160 1161 1000777e 1157->1161 1160->1126 1161->1126
                                                    APIs
                                                    • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                    • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                    • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Version$InfoNumbersSystem
                                                    • String ID:
                                                    • API String ID: 995872648-0
                                                    • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                    • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                    • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                    • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1162 10007fdd-1000801e call 100280c0 1165 10008020-10008026 call 10027487 1162->1165 1166 10008029-10008059 call 1000241a call 10007db8 1162->1166 1165->1166 1173 10008098-1000809d 1166->1173 1174 1000805f-10008063 1166->1174 1175 100080a8-100080ab 1173->1175 1176 1000809f-100080a5 call 10027487 1173->1176 1174->1173 1177 10008069-1000806c 1174->1177 1176->1175 1180 10008075-1000807c 1177->1180 1181 10008095 1180->1181 1182 1000807e-10008092 call 10027499 1180->1182 1181->1173 1182->1181
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID: `+vw
                                                    • API String ID: 3535843008-2575219697
                                                    • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                    • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                    • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                    • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1185 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1191 10018b23-10018b37 call 10027499 1185->1191 1192 10018b3a-10018b5e HeapCreate 1185->1192 1191->1192 1193 10018b60-10018b74 call 10027499 1192->1193 1194 10018b77-10018b8e call 10001000 1192->1194 1193->1194 1201 10018b90-10018ba4 call 10027499 1194->1201 1202 10018ba7-10018bc8 call 1000188f 1194->1202 1201->1202 1207 10018bd3-10018be4 call 1000b61e 1202->1207 1208 10018bca-10018bd0 call 10027487 1202->1208 1213 10018be6-10018bec call 10027487 1207->1213 1214 10018bef-10018c09 call 10001000 1207->1214 1208->1207 1213->1214 1219 10018c22-10018c43 call 1000188f 1214->1219 1220 10018c0b-10018c1f call 10027499 1214->1220 1225 10018c45-10018c4b call 10027487 1219->1225 1226 10018c4e-10018c5f call 1000b61e 1219->1226 1220->1219 1225->1226 1231 10018c61-10018c67 call 10027487 1226->1231 1232 10018c6a-10018c84 call 10001000 1226->1232 1231->1232 1237 10018c86-10018c9a call 10027499 1232->1237 1238 10018c9d-10018cbe call 1000188f 1232->1238 1237->1238 1243 10018cc0-10018cc6 call 10027487 1238->1243 1244 10018cc9-10018cda call 1000b61e 1238->1244 1243->1244 1249 10018ce5-10018cff call 10001000 1244->1249 1250 10018cdc-10018ce2 call 10027487 1244->1250 1255 10018d01-10018d15 call 10027499 1249->1255 1256 10018d18-10018d39 call 1000188f 1249->1256 1250->1249 1255->1256 1261 10018d44-10018d55 call 1000b61e 1256->1261 1262 10018d3b-10018d41 call 10027487 1256->1262 1267 10018d60-10018d7a call 10001000 1261->1267 1268 10018d57-10018d5d call 10027487 1261->1268 1262->1261 1273 10018d93-10018db4 call 1000188f 1267->1273 1274 10018d7c-10018d90 call 10027499 1267->1274 1268->1267 1279 10018db6-10018dbc call 10027487 1273->1279 1280 10018dbf-10018dd0 call 1000b61e 1273->1280 1274->1273 1279->1280 1285 10018dd2-10018dd8 call 10027487 1280->1285 1286 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1280->1286 1285->1286 1303 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1286->1303 1304 10018e4d-10018e53 call 10027487 1286->1304 1313 10018ea5-10018eab call 10027487 1303->1313 1314 10018eae-10018ec2 call 10019f4c 1303->1314 1304->1303 1313->1314 1318 10018ec7-10018ee9 call 1001a236 1314->1318
                                                    APIs
                                                      • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                    • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                      • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Create$Heap$ComputeCrc32Mutex
                                                    • String ID:
                                                    • API String ID: 3311811139-0
                                                    • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                    • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                    • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                    • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52
                                                    APIs
                                                    • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                    • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                    • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                    • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                    • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                    • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                    • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                    • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                    • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                    • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8264c45be557f13266e2939b301ca917ee25164145817e960c0fff1cda7a2770
                                                    • Instruction ID: 544fcef99b3066ea5942e908135793350143b893c48377733f3b3a5047db3fe5
                                                    • Opcode Fuzzy Hash: 8264c45be557f13266e2939b301ca917ee25164145817e960c0fff1cda7a2770
                                                    • Instruction Fuzzy Hash: 5A31D870D00A0DEBCF00DF95E5C5AADBBB0FF09300F5180D5E9A46A25ADB355A34DB26

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 501 549c30-549c4d EnterCriticalSection 502 549c5c-549c61 501->502 503 549c4f-549c56 501->503 505 549c63-549c66 502->505 506 549c7e-549c87 502->506 503->502 504 549d15-549d18 503->504 507 549d20-549d41 LeaveCriticalSection 504->507 508 549d1a-549d1d 504->508 509 549c69-549c6c 505->509 510 549c9c-549cb8 GlobalHandle GlobalUnlock GlobalReAlloc 506->510 511 549c89-549c9a GlobalAlloc 506->511 508->507 512 549c76-549c78 509->512 513 549c6e-549c74 509->513 514 549cbe-549cca 510->514 511->514 512->504 512->506 513->509 513->512 515 549ce7-549d14 GlobalLock call 531840 514->515 516 549ccc-549ce2 GlobalHandle GlobalLock LeaveCriticalSection call 53e121 514->516 515->504 516->515
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00827AA0,00827A74,00000000,?,00827A84,00827A84,00549FCB,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6,?,00000000), ref: 00549C3F
                                                    • GlobalAlloc.KERNEL32(00002002,00000000,?,?,00827A84,00827A84,00549FCB,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6,?,00000000), ref: 00549C94
                                                    • GlobalHandle.KERNEL32(00AA3E40), ref: 00549C9D
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00549CA6
                                                    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549CB8
                                                    • GlobalHandle.KERNEL32(00AA3E40), ref: 00549CCF
                                                    • GlobalLock.KERNEL32(00000000), ref: 00549CD6
                                                    • LeaveCriticalSection.KERNEL32(0052DFF8,?,?,00827A84,00827A84,00549FCB,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6,?,00000000), ref: 00549CDC
                                                    • GlobalLock.KERNEL32(00000000), ref: 00549CEB
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00549D34
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                    • String ID:
                                                    • API String ID: 2667261700-0
                                                    • Opcode ID: 799b0489a169ba97f8eae9c6e1fac84caeeaf80516c7be6522846b83e129c017
                                                    • Instruction ID: 1e20485e5a3be9b87e3b9325e2dd40b70e30227bc50ccc22cd6acad8277f0d69
                                                    • Opcode Fuzzy Hash: 799b0489a169ba97f8eae9c6e1fac84caeeaf80516c7be6522846b83e129c017
                                                    • Instruction Fuzzy Hash: 963181756007069FDB249F28DC9AA6BBBE9FB84305F010A2DF456C7661E771EC48CB14

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 886 100294c0-100294cf 887 100294d1-100294e3 GetTempPathA 886->887 888 100294eb-10029511 886->888 889 10029513-1002952c 887->889 890 100294e5-100294e9 887->890 888->889 891 10029531-1002953d 889->891 892 1002952e 889->892 890->889 893 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 891->893 892->891 893->893 894 1002956b-100295b3 call 10027bb0 893->894
                                                    APIs
                                                    • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                    • GetTickCount.KERNEL32 ref: 10029543
                                                    • wsprintfA.USER32 ref: 10029558
                                                    • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Path$CountExistsFileTempTickwsprintf
                                                    • String ID: %s%x.tmp
                                                    • API String ID: 3843276195-78920241
                                                    • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                    • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                    • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                    • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                    Control-flow Graph

                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                    • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                      • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                      • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00A80000,00000008,?,?,10028674), ref: 10027BCD
                                                      • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                    • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                    • String ID:
                                                    • API String ID: 749537981-0
                                                    • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                    • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                    • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                    • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1040 544e51-544e5a call 549a0f 1043 544e5c-544e87 call 5497d8 GetCurrentThreadId SetWindowsHookExA call 54a02c 1040->1043 1044 544eaf 1040->1044 1048 544e8c-544e92 1043->1048 1049 544e94-544e99 call 549a0f 1048->1049 1050 544e9f-544eae call 549f97 1048->1050 1049->1050 1050->1044
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00544E64
                                                    • SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 00544E74
                                                      • Part of subcall function 0054A02C: __EH_prolog.LIBCMT ref: 0054A031
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CurrentH_prologHookThreadWindows
                                                    • String ID: V`H
                                                    • API String ID: 2183259885-1425837005
                                                    • Opcode ID: 4e8c846c88438d327b1b1fe028fe1ed1fa4be22cc98e586880b002200798e337
                                                    • Instruction ID: 7ece4aa872334b0863167523b191370d5eb7394b99c0efca3bcf1e8474a9c863
                                                    • Opcode Fuzzy Hash: 4e8c846c88438d327b1b1fe028fe1ed1fa4be22cc98e586880b002200798e337
                                                    • Instruction Fuzzy Hash: 37F0E5328847517FDB203BB0A80FBDA3E94BB80329F050654B112A64E1EB604C84C752

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1323 54a860-54a88b SetErrorMode * 2 call 549a0f * 2 1328 54a8ac-54a8b6 call 549a0f 1323->1328 1329 54a88d-54a8a7 call 54a8c3 1323->1329 1333 54a8bd-54a8c0 1328->1333 1334 54a8b8 call 544e51 1328->1334 1329->1328 1334->1333
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00546105,00000000,00000000,00000000,00000000,?,00000000,?,0053D893,00000000,00000000,00000000,00000000,0052DFF8), ref: 0054A869
                                                    • SetErrorMode.KERNEL32(00000000,?,00000000,?,0053D893,00000000,00000000,00000000,00000000,0052DFF8,00000000), ref: 0054A870
                                                      • Part of subcall function 0054A8C3: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A8F4
                                                      • Part of subcall function 0054A8C3: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A995
                                                      • Part of subcall function 0054A8C3: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A9C2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                    • String ID:
                                                    • API String ID: 3389432936-0
                                                    • Opcode ID: 82fee41d036530f9663fbc097676b7cedf462ea0941c4c5d27f505813dd9e2c3
                                                    • Instruction ID: 34eb22a69e3933a8a0abdafa6ca4a4334125a0c20b9b493cb25cd9d61432d86b
                                                    • Opcode Fuzzy Hash: 82fee41d036530f9663fbc097676b7cedf462ea0941c4c5d27f505813dd9e2c3
                                                    • Instruction Fuzzy Hash: D4F037719943518FD714BF64D449B8A7FA8BF88714F05848AF4449B2A2CB70D841CF56

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1336 4c4300-4c431b PeekMessageA 1337 4c431d-4c4322 1336->1337 1338 4c4343-4c4347 1336->1338 1337->1338 1339 4c4324-4c4341 call 544e3c PeekMessageA 1337->1339 1339->1337 1339->1338
                                                    APIs
                                                    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C4317
                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C433D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: MessagePeek
                                                    • String ID:
                                                    • API String ID: 2222842502-0
                                                    • Opcode ID: 8eec6e5128e93a42b400f06fea6d6258ee0e0a5c76780dbcd1cb1337692102ff
                                                    • Instruction ID: f348effb5048d30e07e6a5048a41180952f9128151fb331baab46005233433b9
                                                    • Opcode Fuzzy Hash: 8eec6e5128e93a42b400f06fea6d6258ee0e0a5c76780dbcd1cb1337692102ff
                                                    • Instruction Fuzzy Hash: 8DF06535740342AAEA20E6A48D16F963E586FC4B40F94045ABA409F1D4D6A4E5058BAA

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1343 533f98-533fb6 HeapCreate 1344 533fb8-533fc5 call 533e50 1343->1344 1345 533fee-533ff0 1343->1345 1348 533fc7-533fd2 call 537865 1344->1348 1349 533fd4-533fd7 1344->1349 1355 533fde-533fe0 1348->1355 1351 533ff1-533ff4 1349->1351 1352 533fd9 call 5383ac 1349->1352 1352->1355 1355->1351 1356 533fe2-533fe8 HeapDestroy 1355->1356 1356->1345
                                                    APIs
                                                    • HeapCreate.KERNEL32(00000000,00001000,00000000,0052DF76,00000001), ref: 00533FA9
                                                      • Part of subcall function 00533E50: GetVersionExA.KERNEL32 ref: 00533E6F
                                                    • HeapDestroy.KERNEL32 ref: 00533FE8
                                                      • Part of subcall function 00537865: HeapAlloc.KERNEL32(00000000,00000140,00533FD1,000003F8), ref: 00537872
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocCreateDestroyVersion
                                                    • String ID:
                                                    • API String ID: 2507506473-0
                                                    • Opcode ID: 345425e9af27faf0265c41ea0d82b9dd3e3303e25ad377b8ed4358d347821399
                                                    • Instruction ID: 3a45ebcea67b3d74a1cb51e26fdd04bf7c25358b33e784b1e307e95240e40088
                                                    • Opcode Fuzzy Hash: 345425e9af27faf0265c41ea0d82b9dd3e3303e25ad377b8ed4358d347821399
                                                    • Instruction Fuzzy Hash: B7F09B70E453029AEF302731AD4A7657FB4BB90782F504C25F400C51B4EF64C685D611
                                                    APIs
                                                    • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                    • RtlFreeHeap.NTDLL(00A80000,00000000,00000000), ref: 10027C80
                                                      • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: FreeHandleHeapModuleRead
                                                    • String ID:
                                                    • API String ID: 627478288-0
                                                    • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                    • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                    • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                    • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F93C
                                                      • Part of subcall function 00536654: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 00536691
                                                      • Part of subcall function 00536654: EnterCriticalSection.KERNEL32(?,?,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 005366AC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                    • String ID:
                                                    • API String ID: 1616793339-0
                                                    • Opcode ID: 20313b40f7e3dce336daa9741e1f2966b5b848e41a72be9efe4f076bd3057cb2
                                                    • Instruction ID: 7b56e2c9da9a259d952406973c3615529dd566496f40b84713af7035b72e6d44
                                                    • Opcode Fuzzy Hash: 20313b40f7e3dce336daa9741e1f2966b5b848e41a72be9efe4f076bd3057cb2
                                                    • Instruction Fuzzy Hash: 8D218132A00225BBDB20AB69FD46B9EBFB4FF02724F144535F411EB2D1C774A9818B94
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074), ref: 0052F802
                                                      • Part of subcall function 00536654: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 00536691
                                                      • Part of subcall function 00536654: EnterCriticalSection.KERNEL32(?,?,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 005366AC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterFreeHeapInitialize
                                                    • String ID:
                                                    • API String ID: 641406236-0
                                                    • Opcode ID: 6bbe92e95e5e50c560ef673135305bb2aab7de2ade05c5dafc1efb0333b91f63
                                                    • Instruction ID: a866127fe020f7fef98054cf8992c6f43cbaa49073fdc435564f894815408189
                                                    • Opcode Fuzzy Hash: 6bbe92e95e5e50c560ef673135305bb2aab7de2ade05c5dafc1efb0333b91f63
                                                    • Instruction Fuzzy Hash: AD21C872801219ABDB209B54FC4AF9DBF78FF15720F280539F410A21D0DB345941CBA5
                                                    APIs
                                                    • LoadStringA.USER32(?,?,?,?), ref: 005459D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: LoadString
                                                    • String ID:
                                                    • API String ID: 2948472770-0
                                                    • Opcode ID: 40b681f0eb12bf682b615047342c379f509e79dc48667a59968eaf647e38dde4
                                                    • Instruction ID: 8e8ef572204fce2589af0aa7cf685f4fbdf9b9b9a2ff7f47f4f6fcf0d949cc61
                                                    • Opcode Fuzzy Hash: 40b681f0eb12bf682b615047342c379f509e79dc48667a59968eaf647e38dde4
                                                    • Instruction Fuzzy Hash: F3D0A7721083A29BC711DF508809DCFBFA8BF94320B044C0DF48453112D330C804CB61
                                                    APIs
                                                    • ShowWindow.USER32(?,?,004C0E6C,00000000), ref: 005444B8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: acf6b276f8ca7226e4bb5dde0f7d0ba1f39025784c939386b435f722e44fa1d2
                                                    • Instruction ID: f17d4fe166e2984382da11de18e3af9d95e80066a9337b616801462ce75c6cca
                                                    • Opcode Fuzzy Hash: acf6b276f8ca7226e4bb5dde0f7d0ba1f39025784c939386b435f722e44fa1d2
                                                    • Instruction Fuzzy Hash: 04D09230204300EFCF058F60DA48B5ABBB2BF94709B299A68F04A8A525D732DC12EF05
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                    • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                    • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                    • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 1001F57C
                                                    • IsIconic.USER32(00000000), ref: 1001F86F
                                                    • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001F8D4
                                                    • GetDCEx.USER32(00000000,00000000,00000020,?,?,?,?,-00000004), ref: 1001FE93
                                                    • GetWindowInfo.USER32(00000000,00000000), ref: 1001FFE2
                                                    • GetWindowRect.USER32(00000000,?), ref: 100201EB
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 100205D5
                                                    • CreateDIBSection.GDI32(00000000,00000000,00000000,00000000), ref: 100206C0
                                                    • SelectObject.GDI32(00000000,00000000), ref: 10020798
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 100207D7
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1002086C
                                                    • PrintWindow.USER32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,-00000004), ref: 100208A9
                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00CC0020), ref: 1002091B
                                                    • SelectObject.GDI32(00000000,00000000), ref: 10020ADE
                                                    • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10020CB4
                                                      • Part of subcall function 10028090: _CIfmod.MSVCRT(?,?,?,1000197A,00000002,?,?,80000601,00000000,40140000,80000601,00000000,00000000,00000001), ref: 100280A8
                                                      • Part of subcall function 10002461: HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateObjectSelect$Compatible$AllocBitsHeapIconicIfmodInfoPrintRectSection
                                                    • String ID:
                                                    • API String ID: 3140154463-0
                                                    • Opcode ID: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                    • Instruction ID: ea048d8ca86424f245eedfb131be0975fd1a5b6ab4dedd9bad29979357843bcf
                                                    • Opcode Fuzzy Hash: 88eda80100b7a025ec30ab416d140f093013ab73758d7af4ff83b5959809b2a7
                                                    • Instruction Fuzzy Hash: CB13F3B0A40329DBEF20CF54DCC1B99BBB1FF19314F5440A4E648AB241D775AAA4DF25
                                                    APIs
                                                    • PathFindFileNameA.SHLWAPI(00000000), ref: 100143A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: FileFindNamePath
                                                    • String ID:
                                                    • API String ID: 1422272338-0
                                                    • Opcode ID: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                    • Instruction ID: 6aa6a69dd7cd03d5bb48bed33b8f4d969fd18b6c87b19858859c797241170964
                                                    • Opcode Fuzzy Hash: 0e6eff065a05a2f384f771e1e98f391994859e5652061184b7ca416d9ae97ae4
                                                    • Instruction Fuzzy Hash: 6A8276B5E40309ABEB10DFD0DC82F9E77B4EF14741F550025F608BE291EBB2AA558B52
                                                    APIs
                                                    • IsIconic.USER32(?), ref: 004CC7EC
                                                    • IsZoomed.USER32(?), ref: 004CC7FA
                                                    • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CC824
                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CC837
                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CC845
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004CC87B
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CC891
                                                    • IsWindow.USER32(?), ref: 004CC8BE
                                                    • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC8CB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                                                    • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                                                    • API String ID: 447426925-661446951
                                                    • Opcode ID: 2aad0ee79b479b02fb2b946597527b075e3f00870acc05ba3d091f7f16e5603c
                                                    • Instruction ID: f399e171fcd14cdb3fa172c1acac950232705f0c1a6c5618e7b234c16eee75ca
                                                    • Opcode Fuzzy Hash: 2aad0ee79b479b02fb2b946597527b075e3f00870acc05ba3d091f7f16e5603c
                                                    • Instruction Fuzzy Hash: D0318275740702AFDB10AF61CC59F6B7BA8EF94B42F00451DFA06A7290DB78DC098B69
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D459,?), ref: 1000C917
                                                    • InterlockedExchange.KERNEL32(1002D45D,?), ref: 1000C9CE
                                                    • InterlockedExchange.KERNEL32(1002D461,?), ref: 1000CA85
                                                    • InterlockedExchange.KERNEL32(1002D465,?), ref: 1000CB3C
                                                    • InterlockedExchange.KERNEL32(1002D469,?), ref: 1000CBF3
                                                    • InterlockedExchange.KERNEL32(1002D455,?), ref: 1000CCAA
                                                      • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                    • GetWindowThreadProcessId.USER32(1000C613,00000000), ref: 1000CCFD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked$CodeProcessThreadWindow
                                                    • String ID:
                                                    • API String ID: 1323220708-0
                                                    • Opcode ID: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                    • Instruction ID: 2b64659c084c5c153bef61b4d063f84a8c6e811bd728d09e8d095ab07dd3c45c
                                                    • Opcode Fuzzy Hash: a57e3a7ebe96e369419e08ba99744fb8776840faf4a81f30f508d6abc0fe4111
                                                    • Instruction Fuzzy Hash: AF5308B5E00348ABEF11DFD4DC82FADBBB5EF08344F540029FA04BA296D7B669548B15
                                                    APIs
                                                    • GetWindowRect.USER32(00000001,00000001), ref: 1002140D
                                                    • GetDCEx.USER32(00000000,00000000,00000020,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 100218AD
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 100218DC
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1002195D
                                                    • PrintWindow.USER32(00000001,00000000,00000000), ref: 10021994
                                                    • GetObjectA.GDI32(00000000,00000018,00000000), ref: 10021A33
                                                    • GetDIBits.GDI32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 10021CA1
                                                    • SelectObject.GDI32(00000000,00000000), ref: 100220CA
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 10022153
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Object$SelectWindow$BitsCompatibleCreatePrintRectRelease
                                                    • String ID:
                                                    • API String ID: 2343085801-0
                                                    • Opcode ID: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                    • Instruction ID: af8189180e66b16a91b6480abd6d1d91958fea63da9546105489bf86ff406ccc
                                                    • Opcode Fuzzy Hash: 63133bb0db85fb87063aa834a4ef367d52919f1049c1e49f4a6d5bd8347d4e59
                                                    • Instruction Fuzzy Hash: A7A2BCB4E40359ABEF10CF94DC81B9DBBB1FF09304F604064EA09AB295D3B56965CB26
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8b40948541689ab0bc5330c10140b1aac34b1ca91b5829676350bdb5b5ad1a70
                                                    • Instruction ID: 95a280cf919ef0e5f6dec807453971aa37c7baccb68f890df8a849c86d7b7558
                                                    • Opcode Fuzzy Hash: 8b40948541689ab0bc5330c10140b1aac34b1ca91b5829676350bdb5b5ad1a70
                                                    • Instruction Fuzzy Hash: F562D2796083019FC764CF24D880F6B77E5AFC4318F54892EF88A97351DA38E805CB9A
                                                    APIs
                                                    • GetVersionExA.KERNEL32 ref: 00533E6F
                                                    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00533EA4
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00533F04
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentFileModuleNameVariableVersion
                                                    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                    • API String ID: 1385375860-4131005785
                                                    • Opcode ID: 5f5aec9753988e521ee00c7aa1cbce9d4f27956d871e25bf16a439817830d58f
                                                    • Instruction ID: 1fac27ccaf85a6ccd7877eedef7ea4f91b98e54911b44507f0b1565232d3b1cb
                                                    • Opcode Fuzzy Hash: 5f5aec9753988e521ee00c7aa1cbce9d4f27956d871e25bf16a439817830d58f
                                                    • Instruction Fuzzy Hash: 7B312472D012886DEB319670AC99BED7F7CBB06704F5404E9E045CA082F638DF8A9B11
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ?$\$\REGISTRY\MACHINE$\REGISTRY\MACHINE\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT$\REGISTRY\USER$_Classes
                                                    • API String ID: 0-1655980394
                                                    • Opcode ID: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                    • Instruction ID: cfee4882955295f256346ab5d35a508912345f973a0f1410f6445f43bbb6ad63
                                                    • Opcode Fuzzy Hash: e22ae917082b87936fa41f08c48656746adfa22af9818a3601b39729e2dc5093
                                                    • Instruction Fuzzy Hash: 379124B5E00209EFDF40DFD4DD85BAE7BB8FF18240F604429E60DAA241D7759B849B62
                                                    APIs
                                                    • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: FileUnmapView
                                                    • String ID:
                                                    • API String ID: 2564024751-0
                                                    • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                    • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                    • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                    • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 1001A976
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$Release
                                                    • String ID:
                                                    • API String ID: 3581861777-0
                                                    • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                    • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                    • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                    • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                    APIs
                                                    • GetWindow.USER32(?,00000005), ref: 1001A773
                                                    • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                    • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Window$ProcessThreadVisible
                                                    • String ID:
                                                    • API String ID: 569392824-0
                                                    • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                    • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                    • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                    • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID: ($`+vw
                                                    • API String ID: 3535843008-3594963921
                                                    • Opcode ID: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                    • Instruction ID: acc8f56f01466ae78c1c2cfb7f14f5a9cb3254fd2462285b483ece6b545600e1
                                                    • Opcode Fuzzy Hash: 7a332dac4401a920269cba03dc06d0fc5b09a4c31d79a57ea6b303e349c4f0f0
                                                    • Instruction Fuzzy Hash: 41220CB5D00219ABEF00DFE4ECC1BAEB775FF18340F504028FA15BA256D776A9608B61
                                                    APIs
                                                    • SystemParametersInfoA.USER32(00000059,00000000,00000000,00000000), ref: 100156E3
                                                    • SystemParametersInfoA.USER32(0000005A,00000000,00000000,00000002), ref: 100158B9
                                                    • UnloadKeyboardLayout.USER32(00000000), ref: 100159A5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: InfoParametersSystem$KeyboardLayoutUnload
                                                    • String ID:
                                                    • API String ID: 1487128349-0
                                                    • Opcode ID: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                    • Instruction ID: 050fea7ffa1bc3994f10f6bed9b27e470259e4e1db6febdaadab7ec0439d0979
                                                    • Opcode Fuzzy Hash: 0226bddf635d607848fcc8a3ce1956f1dfd2ff90d5e67fe2f9c10deefa186aa5
                                                    • Instruction Fuzzy Hash: 224245B5E40305EBEB00DF94DCC2FAE77A4EF18355F540025E605BF286E776AA448B62
                                                    APIs
                                                    • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                                                    • NtClose.NTDLL(?), ref: 100141D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CloseMutexRelease
                                                    • String ID: `+vw
                                                    • API String ID: 2985832019-2575219697
                                                    • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                    • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                                                    • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                    • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                                                    APIs
                                                    • lstrlen.KERNEL32(00000000,FFFFFFFF,00000000,?,00000000,00000000,00000001,FFFFFFFF,00000000,?,FFFFFFFF,00000000,?,FFFFFFFF,00000000), ref: 10019B06
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: lstrlen
                                                    • String ID: Z$w
                                                    • API String ID: 1659193697-2716038989
                                                    • Opcode ID: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                    • Instruction ID: 282b89e6495933af6440fbbb597b1de90ef5dffa39cee2d72f7ed257570ffe54
                                                    • Opcode Fuzzy Hash: 14b0ca790eb9ae8847579f1349c02be75ec1f05ac398c4f3cad0be9f6ca5cf29
                                                    • Instruction Fuzzy Hash: 550202B0D0061CDBEB10DFE1E9897EDBBB4FF48340F2140A4E485BA249DB725AA5CB55
                                                    APIs
                                                    • WindowFromDC.USER32(00000000), ref: 100237BF
                                                    • GetCurrentObject.GDI32(00000000,00000007), ref: 100237FF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CurrentFromObjectWindow
                                                    • String ID:
                                                    • API String ID: 1970099965-0
                                                    • Opcode ID: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                    • Instruction ID: 5e3447216257589ac88371f0c3b1c154c22f3bd6e68f106655ab8dd4a69be074
                                                    • Opcode Fuzzy Hash: b4fc28a30c016e0f3434186770363817d1562ad41469c0952657f73b3ef3185f
                                                    • Instruction Fuzzy Hash: 9F313770D40308EBDB00DF90D886BADBBB0FB0A751F409065F6087E290E7B19A54DF96
                                                    APIs
                                                    • GetStockObject.GDI32(00000011), ref: 1001ACD1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ObjectStock
                                                    • String ID:
                                                    • API String ID: 3428563643-3916222277
                                                    • Opcode ID: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                    • Instruction ID: b9a15d43875d05f13c7aca3fde3137a0688d1b6e1dffe905ed574dcac1c1d11e
                                                    • Opcode Fuzzy Hash: 34811a479ff939bbd0d37306ad3751707146f9b865cac1cf01731385c4780bb4
                                                    • Instruction Fuzzy Hash: AE325BB5A402569FEB00CF98DCC1B99BBF4FF29314F580065E546AB342D379B991CB22
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D531,?), ref: 10025544
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID: Thread
                                                    • API String ID: 367298776-915163573
                                                    • Opcode ID: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                    • Instruction ID: e87a296fab3b19ef06520bc3e141919b3527ea124beb15feda4261f24f1e3c13
                                                    • Opcode Fuzzy Hash: 0f35051adc867b6f3eb31b1a967cfc10eed751901f350b72bdb8150afa714329
                                                    • Instruction Fuzzy Hash: 38F116B5E00259ABEF00DFE4EC81BDDBBB5FF08314F640025F605BA241D7B6A9548B65
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D529,?), ref: 10024841
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID: Process
                                                    • API String ID: 367298776-1235230986
                                                    • Opcode ID: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                    • Instruction ID: 84bd04864f9d1e807072be8e5ab147b3cae892089b2f3c2b5496a308401e609c
                                                    • Opcode Fuzzy Hash: d2f68a8877050e88ca52d3a1b362dc4e0adfd70d905bf2d7a8a251b6a21b3eb8
                                                    • Instruction Fuzzy Hash: 85E104B5E41259ABEF00DFE4EC81B9DBBB5FF08304F640025F605BA241EB75A954CB61
                                                    APIs
                                                    • lstrlen.KERNEL32(00000000,000000FF,00000000,?,00000000,00000000,?,0000009C,00000000,?,?,FFFFFF9C,00000000), ref: 10026700
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: lstrlen
                                                    • String ID: #
                                                    • API String ID: 1659193697-1885708031
                                                    • Opcode ID: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                    • Instruction ID: 30fcd15e93819707c4a405128049bbda1367cf8e2b4a4446b34ba685154cf5d7
                                                    • Opcode Fuzzy Hash: 7e6295f5caa4a652e8defb0c53b8757dc8115242becb546e1cd2ddf94898e13d
                                                    • Instruction Fuzzy Hash: 2232CF70D0061DEBEB10DFD0EC99BADBBB4FF48340F618094E495BA199CB715AB58B14
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,10007D8B,00000000), ref: 10007EA0
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,FFFFFFFF,10007D8B,00000000,00000000,00000000,00000000,00000000), ref: 10007F7E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 626452242-0
                                                    • Opcode ID: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                    • Instruction ID: b3f739b553b0eb222627b335ec04950199b8c6fc0fb38b6c76c83e211291c2b2
                                                    • Opcode Fuzzy Hash: bda0d135b53912d681397df84b39cfb901c8e1d28ca02e616f5f005ca4c51389
                                                    • Instruction Fuzzy Hash: 62417C74E0020DFBEB10DFD0EC46BAEBBB4FB08750F204165F618BA195DBB56A608B55
                                                    APIs
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001368C
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 10013744
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 626452242-0
                                                    • Opcode ID: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                    • Instruction ID: dea56998412ea2cd2e2e07e98f2853e180ac33eb45cb94fa257388ef996dc557
                                                    • Opcode Fuzzy Hash: 29862c888924d45c4ba2e300f17eb5bcd02a481ba966d84d668dfe1bb4d5aab7
                                                    • Instruction Fuzzy Hash: 543141B5E40309BBEB50DFD49C82FAE7BB4EB04710F108055FA18BE2C1D7B6A6909B55
                                                    APIs
                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,100172C1,00000000,00000000,00000000), ref: 10017D82
                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,100172C1), ref: 10017E29
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentExpandStrings
                                                    • String ID:
                                                    • API String ID: 237503144-0
                                                    • Opcode ID: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                    • Instruction ID: 93bfbce67b494b6763231a081cd11fe6566247fc84b5e7443ef84a885c003b65
                                                    • Opcode Fuzzy Hash: 69d3f48662c60aa8471e2db2691721ec0b878157a118ab2c20fe49b153d34404
                                                    • Instruction Fuzzy Hash: 96313675E00309BBEB51DED49C82FAE7BF4EF08704F104065FA08BB242D772AA509B55
                                                    APIs
                                                    • DispatchMessageA.USER32(1001176C), ref: 100116D4
                                                    • CallWindowProcA.USER32(?,?,?,?), ref: 10011714
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CallDispatchMessageProcWindow
                                                    • String ID:
                                                    • API String ID: 3568206097-0
                                                    • Opcode ID: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                    • Instruction ID: 63bf1ad0f6820a7cfc32d841282287ffa4cda79eab35e4a2f1e5c3704b1abdfe
                                                    • Opcode Fuzzy Hash: 4482fe2aa797ff1df0b8a016cfba6ab4f1edf6d8360ca980b76e75974128ba22
                                                    • Instruction Fuzzy Hash: AE21C775E40318EBDB00EF94DCC2A9DBBB1FB0D310F5040A5EA08AB351D371AA90DB52
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                    • Instruction ID: 90b3556d9a436454375a3f12806074c3db2d9078b135128fdcdde92096655a79
                                                    • Opcode Fuzzy Hash: 1d3d201b3cf0f4e34ced4be5fd0ab536c8b491c3572058b51f69840eb97b3778
                                                    • Instruction Fuzzy Hash: 52C2B7B4F40346ABFB11CA94DCC2B9E77B0EB08390F214165F658FA2DAD7B15E408B56
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000000,00000000,00000000,?,?,?,100078F7,00000000,00000000,00000000), ref: 10002169
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,FFFFFFFF,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,100078F7), ref: 1000222A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 626452242-0
                                                    • Opcode ID: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                    • Instruction ID: e83377b6f6ad2707753203cfccfcc485ecbfcdf7635717af9e37d537513bb723
                                                    • Opcode Fuzzy Hash: e01d84eb64cce406f4b39f0ec6733233002c155c01e245fd4058cdbcce10abd4
                                                    • Instruction Fuzzy Hash: 29814D75E00209ABEF00DFD4DC86FEEBBB4EF08340F504065FA14BA285D7B5AA548B55
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D519,?), ref: 1001DD15
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                    • Instruction ID: 7a99189caa79d54ac912ebbbba7bdc920c16141239c7c74b934a59564cf638f4
                                                    • Opcode Fuzzy Hash: 9c37b9bfe50d47b947943e5bde51b1b3a93ad00f865aaf561d5891f7ad451c75
                                                    • Instruction Fuzzy Hash: 2A6238B5E40348ABEB10DF94DC82F9DBBB5FF08344F244025F608BE292E7B5A9558B51
                                                    APIs
                                                    • PathFindFileNameA.SHLWAPI(00000000,?,00000000,00000000,00000000,00000000,0000001C,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1001C7F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: FileFindNamePath
                                                    • String ID:
                                                    • API String ID: 1422272338-0
                                                    • Opcode ID: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                    • Instruction ID: f98056538ddd495e24e8dfbf0cad4fd33bc614c33abef30b02bddadc29e55c32
                                                    • Opcode Fuzzy Hash: 6281f69430544266c8e70e44c834c9405fb1c3bbdf4b57ac0b35b949c557e014
                                                    • Instruction Fuzzy Hash: 364240B5A40219ABEB00DF94ECC2F9EB7B4FF5C354F140025EA09BF241E775A9508B66
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D535,?), ref: 10025AFF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                    • Instruction ID: ec57d409bd248faccfe3f0420db7539557fe035a6b0d78d3a35a1a7dfc2ec437
                                                    • Opcode Fuzzy Hash: 1d3983c04ef36cd81e02ff80b8e386635ef27858c32e0cbda266982c8d298185
                                                    • Instruction Fuzzy Hash: AC5208B5E00208ABEF01DF94EC82FDDBBB5FF08314F544029F614BA292D7B5A9548B65
                                                    APIs
                                                    • LoadLibraryExA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000001,00000000,00000000,00000000,00000000), ref: 1001D53E
                                                      • Part of subcall function 10001D56: IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CodeLibraryLoad
                                                    • String ID:
                                                    • API String ID: 4269728939-0
                                                    • Opcode ID: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                    • Instruction ID: 8ca3c93d7244418e6012e556740facccd0f38a3c9c4ff1909e44a403dc44f6d3
                                                    • Opcode Fuzzy Hash: 65fad49489424e2679975017eff27f475cb1f496b382636ee17d060b9eab1fb1
                                                    • Instruction Fuzzy Hash: BC421AB5E40318AFEF50EF94DC82BDDBBB1FB08740F500125F618BA295D7B6A9808B55
                                                    APIs
                                                      • Part of subcall function 10028720: atoi.MSVCRT(00000000), ref: 1002877E
                                                    • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 1000918C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: MemoryMoveatoi
                                                    • String ID:
                                                    • API String ID: 2867837884-0
                                                    • Opcode ID: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                    • Instruction ID: c625aa631b3fd7664a23ceac8d029317df328e953ac31412f977eb30fe789f83
                                                    • Opcode Fuzzy Hash: f552e5f7024ba99e615796b6465fd8c68d714aa37df417cf295f447d032c11c8
                                                    • Instruction Fuzzy Hash: 1A023DB5A40216AFFB00DF94DCC1BAEB7A5FF58354F240025E905AB385E7B5B950CB22
                                                    APIs
                                                    • RtlMoveMemory.NTDLL(00000000), ref: 1000665A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: MemoryMove
                                                    • String ID:
                                                    • API String ID: 1951056069-0
                                                    • Opcode ID: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                    • Instruction ID: de403b7ac96d81ad167a5567031b13b093eba99a0845d2f8fdd956dd85fb778c
                                                    • Opcode Fuzzy Hash: eb4082b09fd2d382939d01306d0fc3fdf797f862dfdaeaedf174d431bc084b9e
                                                    • Instruction Fuzzy Hash: 12B151B5A812969BFF00CF58DCC1B95B7E1EF69324B291470E846AF344D378B861DB21
                                                    APIs
                                                    • GetKeyboardLayoutList.USER32(00000040,?,00000000,00000000), ref: 10015BEE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: KeyboardLayoutList
                                                    • String ID:
                                                    • API String ID: 4253248152-0
                                                    • Opcode ID: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                    • Instruction ID: 3f0b898e91331e47705899626b39ccd446a255f5e12301d86a1815f33d743008
                                                    • Opcode Fuzzy Hash: 44a60376c71096be39f78b695e39bf06f4d8816049d5a531e66a3b74c91e060c
                                                    • Instruction Fuzzy Hash: 487158F6E00205AFEB00DFA4ECC2BAE77E5EF58251F540025E609EF341E775A9448B62
                                                    APIs
                                                    • LdrGetProcedureAddress.NTDLL(00000000,00000000,00000000), ref: 10006115
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: AddressProcedure
                                                    • String ID:
                                                    • API String ID: 3653107232-0
                                                    • Opcode ID: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                    • Instruction ID: 78c0987cb7ffc063797d9a6f9d393f2066e6151a443f59dc1fc5ba499ae867df
                                                    • Opcode Fuzzy Hash: b0fdcc2e6f29255798221e87a4cc1c59c4c258f69b8f0650fd83bedbacb84739
                                                    • Instruction Fuzzy Hash: 564146B5D40209AFEB00DFD4EC81BAEB7B5FF18314F244065E909AB245D375AA54CB62
                                                    APIs
                                                    • LdrGetDllHandleEx.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 1000B6DF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Handle
                                                    • String ID:
                                                    • API String ID: 2519475695-0
                                                    • Opcode ID: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                    • Instruction ID: f5b1eeb52ae3afd7add8d8d659320dd3d1fa50eb2e7bb74abf840f5972d141ec
                                                    • Opcode Fuzzy Hash: 9cc028ce4cef6fd72751e9c02f2673b6ffa45c8eaa4f1332740a5ce7082965a9
                                                    • Instruction Fuzzy Hash: 6B312FF6D40205ABEB40DF94ECC2B9AB7F8FF18314F184065E90DAB341E375A9548B62
                                                    APIs
                                                    • RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ComputeCrc32
                                                    • String ID:
                                                    • API String ID: 660108262-0
                                                    • Opcode ID: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                    • Instruction ID: 885f51156191be290847c32039febb9a430df116088fdaca21ba1fa0fc310e03
                                                    • Opcode Fuzzy Hash: 3b3c4a398f2c335a2580c0c2c9e01d6ed997776affae00ca87f118d2e0373c7b
                                                    • Instruction Fuzzy Hash: FE3149B5E00309BBEB51DFD49C82FBE77B8EF14740F104068FA18BA242D7B6A6509B51
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(00000000,00000100), ref: 10018935
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: DirectorySystem
                                                    • String ID:
                                                    • API String ID: 2188284642-0
                                                    • Opcode ID: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                    • Instruction ID: ee8817d9cef94c28fb543e8b0ac086dfa591c469ffb5e13cc4bb05c5ca752fcb
                                                    • Opcode Fuzzy Hash: 2c93ccefffdd24751a113a6a8b127da9d46669cbde7100af002d9a110044543e
                                                    • Instruction Fuzzy Hash: 2F115875E00309BBEB40DEE49C42BAD76A8EB08754F241469F608FB241D771AB809756
                                                    APIs
                                                    • IsBadCodePtr.KERNEL32(00000000), ref: 10001D73
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Code
                                                    • String ID:
                                                    • API String ID: 3609698214-0
                                                    • Opcode ID: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                    • Instruction ID: e6d0952806afafb3bf167878436ee8aac056beef16ad5c6831721f9da55ad4d1
                                                    • Opcode Fuzzy Hash: a6e85c84f7705da1f0b0ef0dca21cf6d2d6468ef5f288cf7089c26cb1776d2a9
                                                    • Instruction Fuzzy Hash: E8118B70900209FBEB60DF64CC05BED7BB4EF01390F2041AAED08AA1D4DB729A15DB85
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D4C9,?), ref: 10013C79
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                    • Instruction ID: 374fef4b2e02d52e2e07c0ca9dad6c55ed4794edc6ac8ae58a0c039705d7fb64
                                                    • Opcode Fuzzy Hash: 8f3db6529a380ad884801686893290e76bb9e31a8db3e312d6667318ca493a2c
                                                    • Instruction Fuzzy Hash: CC0171B5E0020DABDB00FFE09D82BAEBBB9EB04301F404466F50876105EB71EA549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D50D,?), ref: 1001A092
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                    • Instruction ID: cb7720b851b721871b731c706f7cbe3d90cdbd700e2746e4ab45e97b10e25004
                                                    • Opcode Fuzzy Hash: 5f714afee4867c402fc67ecef455e1855603a07155a017b7538eac9aa4686da4
                                                    • Instruction Fuzzy Hash: 5C018DB5D00218ABDB11FFD09C82B9E77B8EB09341F804466F50476111D7719B988792
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D51D,00000040), ref: 100228E3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                    • Instruction ID: c1b15002a30057ddc80440081b4ff6bc33ecde6fccf9cd62e387e343abd0d63a
                                                    • Opcode Fuzzy Hash: 194b0fc893c5977093f79026a72dc70755a1496586ec811bd8de5678d100e2c9
                                                    • Instruction Fuzzy Hash: DF014DB5D0021DFBEB10EFE0AC82B9E7778EB14644F904066F50466151EB719B549B91
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D3FD,08000000), ref: 10006CF7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                    • Instruction ID: 4cade7ef096b15f562c821cb4de08ab4d3fc558eeb9d0de8a70c828ff9c11a3c
                                                    • Opcode Fuzzy Hash: 23192da6ecbc83458441ebdd5d9c372dffc65ab0074d72a51acdd461767757be
                                                    • Instruction Fuzzy Hash: 170175B5E0020DEBEB00EFE0EC82FAE7B79EF04240F504066E51566105D771AB549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D481,00000000), ref: 1000FD11
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                    • Instruction ID: 0aed2d4544eee8039acc50f3c1f3685790efcc1e5774387d789b9b1403c596f7
                                                    • Opcode Fuzzy Hash: 4a2eef44144669db4c1f9733a33db670b7915dec5e8fa15a72f47dd6e77bff96
                                                    • Instruction Fuzzy Hash: 9A0188B5D0430DABEB10FFE09C82FAE7779EB04280F40046BF505A6505DB71AA14EB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D3E1,00000004), ref: 10003177
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                    • Instruction ID: 385097fba51063c84e9e930c69dc2d7aac367372f62906f312b1c310141ed2ce
                                                    • Opcode Fuzzy Hash: da42de84fdc45480a06cd4378e972f835c842b750d11b0a6ad2ad2daa698017b
                                                    • Instruction Fuzzy Hash: 40015275D00208E7EB01EFE09C92BEF7B78EB08280F404066E51566155DB71AA149B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D485,00000000), ref: 1000FDAE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                    • Instruction ID: 3f7b499d2902c1e46d25e5c31060a7ca09a1136a131adf16b63838e7b32e6cd5
                                                    • Opcode Fuzzy Hash: 1a48310d62d447e18139df79d4c208d7064efbc4de3590175f6bd695f184c1e5
                                                    • Instruction Fuzzy Hash: 0B018875D0024CABEB00FFE0DC82EAE7779EB05380F50006AF505A6115DB716A54EB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D43D,?), ref: 10008E04
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                    • Instruction ID: 4c97a0654b066084171f968f8b0ad47121c2de6078470ba5a976a0987d87b010
                                                    • Opcode Fuzzy Hash: afcca2c59449e325cff3936334e354c9cd28eb17edf5175cf760837ed83860e1
                                                    • Instruction Fuzzy Hash: EC0175B5D00219E7EB00FFE0EC82BAE7B78FB14240F504466F54566145EB716B549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D40D,00000008), ref: 10007E19
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                    • Instruction ID: 3b8a368ce3914a44cda768e978636fd60f477d925661c7c420499c797e447cb4
                                                    • Opcode Fuzzy Hash: c28a3b2f2e25cb6acfcff6b005e4e53fcd9242a91f843676d212f9070d1610bf
                                                    • Instruction Fuzzy Hash: 9B0171B5D00249ABEB00FFE0EC82AAEBB78FB04240F404466E60966115DB75AB549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D441,?), ref: 10008EA1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                    • Instruction ID: 1686f6cdf9a679c1f5c84585fd33387023eb604c586a5dba44084a63d2e43e5f
                                                    • Opcode Fuzzy Hash: b38c6ebf94637de38798da6e1c23dd87dd1bdd738f4a7bbe3db8cae8409ee598
                                                    • Instruction Fuzzy Hash: 9C0171B5D00359ABEB10FFE0DC82BAEBB78FB04380F400066E64576115EB71AB54CB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                    • Instruction ID: 82e752f980966cf0ba4425328bdbe0b5f15696934bb6f442517d9b0340b204dc
                                                    • Opcode Fuzzy Hash: 2ecd14835ddfe2db98adf362f1cc27abc66221ca3baeee4228986d5531294eba
                                                    • Instruction Fuzzy Hash: 510179B5E00209EBEB00FFE09C82AAEB778EB05240F504466F54566145EBB16654DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D521,00000000), ref: 10022AE1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                    • Instruction ID: 1a66ded8f8981fca5c39a2578b95296ca62aec53b1f76630b0cdbd515d7a4f8c
                                                    • Opcode Fuzzy Hash: c21c2a8c4cec09cdedbb30eba6480203a51324f4c4c5902b1b0fefa990e6b838
                                                    • Instruction Fuzzy Hash: D60175B5D00308BBDB11EFE0AC82FEEBB78EB14344F400066E90566501E7B56B14DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D4B9,10026CF1), ref: 10011EEA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                    • Instruction ID: ae9516facd56fc145b0b9ba1995b908798816dd09d6beae3d77d7b55205b3fe1
                                                    • Opcode Fuzzy Hash: 387a02cd27c85a9e9645a962391e1fc87b5c3584c8544df15e9cc9309148cd0f
                                                    • Instruction Fuzzy Hash: AF0184B5E0420CABDB00FFE0EC82BEEBBB9EB04244F400466F5056A111DB75EA549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D525,00000000), ref: 10024745
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                    • Instruction ID: 4f30fde94411f2541dcfd4e169ebb1e46575794177a9fc60b21b5106f81313a2
                                                    • Opcode Fuzzy Hash: 16372e4eb88579a8b12f2817b7d5f3197544eee2f9c96a83dd2f20b74f294324
                                                    • Instruction Fuzzy Hash: 1001D8B5D0431CA7DB00FFE0ACC2FAEBB78EB05300F810465E51566101EBB16A14DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D435,?), ref: 10008B88
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                    • Instruction ID: 91e5747cc3fe246938bda6916c84b67a4fdfd623eeedb860250414ba6297eca5
                                                    • Opcode Fuzzy Hash: c9e7b862b60fe74ed4fe71638f98d4edbead8bac7f3d7a8f9d653b4e1fb7c940
                                                    • Instruction Fuzzy Hash: 7B0171B5D0020DABEB50FFE49C82EAEBBB8FB04240F500466E54466115EB71AB14DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D411,?), ref: 1000839E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                    • Instruction ID: 31dc5b1c38583c82a0824eac09af333b299f07736d69ab93248bda9d1065cdb0
                                                    • Opcode Fuzzy Hash: 278c620e1e7e4d768f896ce18c2c498cb7bc6a05be8e6297497d5f0b97cf32e1
                                                    • Instruction Fuzzy Hash: 390175B5D04308A7EB40FFE09C82AAE7778FB04640F405476F54466145D771AB54CB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D44D,00000000), ref: 1000B3B4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                    • Instruction ID: a0f89ea6e8a02a489adc9b983919e457af64c69ca27a1623b1b8ea733fed46f6
                                                    • Opcode Fuzzy Hash: 76ce89a9342da98fe2dfecb2c94b98527dad8150a52251657d2f7bd5707e59c8
                                                    • Instruction Fuzzy Hash: 5F0184B5D0030CEBEB00FFE0AD92FAEBB78EB04240F504066F50466145DBB1AB54DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D4C5,00000014), ref: 10013804
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                    • Instruction ID: 3d49d6b3b442fbd771079eef3efcaca9525747ce25c9376b7200e1962427cb25
                                                    • Opcode Fuzzy Hash: df7046381827650c065037a5133842a2a86736d1ba20d916eef21a95625819b6
                                                    • Instruction Fuzzy Hash: 420152B5D04309A7EB00FFE09C82AAEB778EF04240F504066F50466151EB75AA54DB92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D439,?), ref: 10008C25
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                    • Instruction ID: e89bca5dfd4d69b457f6ee300803ba63458d7d33b5f739f05a8734b2afd2cb97
                                                    • Opcode Fuzzy Hash: 1ec75bcf5a5c2b71d65e273564a3b3c9b1f3326e431629a853761c1f5ea93f69
                                                    • Instruction Fuzzy Hash: 4C0171B5D00209ABEB00FFE49CC2EAEBB78FB04240F900466E55566116DB71AB549BA6
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D4D9,?), ref: 10014029
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                    • Instruction ID: 2564c689c805b87f96d1dc3a9772f8e9f463aef008d258d62ef8b45eff4f05b1
                                                    • Opcode Fuzzy Hash: 2023bc8ebed8db9c71d14d41a16ae57d1e69fa0acd5bbe78306c23398d50d97a
                                                    • Instruction Fuzzy Hash: 8E01D875D0030CA7DB11FFE09C82F9E7779EB08300F400026F615A7112DB75EA549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D409,00000001), ref: 10007C2B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                    • Instruction ID: c3b43e173740565f2226f67ccfeaefedf346a2cdf78e56352eac70fc933f1a03
                                                    • Opcode Fuzzy Hash: 61d08e19df0a214d9286b1d052d7edc03e2565f5d48c7273754c1c18bed95e81
                                                    • Instruction Fuzzy Hash: B0017575D0020CA7FB00FFE09C86F9EBB78FB14340F44446AE61966105E775AA549B92
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D52D,00000000), ref: 10025448
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                    • Instruction ID: 3e1362fdfd7180a89e2653fc66fb6b654d9ba0ea71b3ee1e512a707afa301e7c
                                                    • Opcode Fuzzy Hash: c904fddc6ddc8d15f4d357e5ecb68cc14fb2d08915d767a0cb86d415350261cd
                                                    • Instruction Fuzzy Hash: 730188B5D0021CA7DB00FFE0AC82B9EB7B8EB04345F904467F90566111D7B29A549B96
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D451,00000000), ref: 1000B451
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                    • Instruction ID: 8d0e244bf49903d48fd7c686830ea074e98c76a4a96eec9f774984162f9bf409
                                                    • Opcode Fuzzy Hash: 51b26b4892ccffcc6dc83c2534fb8f59ce223cf36af1d5fc13b3d33c47b94d86
                                                    • Instruction Fuzzy Hash: BF0148B5D0431DABEB00FFE09C82FAEB778EB14340F904465F50566116EB71AB54DB92
                                                    APIs
                                                    • GetAncestor.USER32(100236B8,00000001,?,?,100236B8), ref: 1002371A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Ancestor
                                                    • String ID:
                                                    • API String ID: 4063365101-0
                                                    • Opcode ID: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                    • Instruction ID: eb8589c6fe16dd3324ac60df81f06840749ea93634a8b87ae7cb4ae9ae9ba44e
                                                    • Opcode Fuzzy Hash: 0be6b4715263265285db1f468f36bdd37c7f824151cbff8a336d8021942bab24
                                                    • Instruction Fuzzy Hash: C3F03CB4E44308EBDB10EF90E9467ADFB70EB06741F509065E6047B180E7B25A509A8A
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000001,00000001,00000000,00000000,00000001), ref: 100101C4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                    • Instruction ID: 16cce99742d90ffd21a6e538df0c97e42957f62968f0f4cbc8e65f9f29ad9446
                                                    • Opcode Fuzzy Hash: d12216730a6dd428996d56869a6fc80ed1219f4cbb400b599376012f3700107f
                                                    • Instruction Fuzzy Hash: D8F03970E45208FBDB21EF95DC02BADBB74EB05741F1080A5FA087A180D7B5AB509B95
                                                    APIs
                                                    • ReleaseMutex.KERNEL32(?,1000702C), ref: 1000635D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: MutexRelease
                                                    • String ID:
                                                    • API String ID: 1638419-0
                                                    • Opcode ID: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                    • Instruction ID: 7b3213fa97c1f7abe5e99e727b00606adf76b996470ce0c1231a1946aded7527
                                                    • Opcode Fuzzy Hash: 409f3bf5a2a7effd3d518b78c876aaf5ee200c7d662fef1c20eca6aafb3e8a79
                                                    • Instruction Fuzzy Hash: 3AD017B0D45308B7E610AE90EC03B69BA34D706761F105161FA082A190E6B2AB2496DA
                                                    APIs
                                                    • HeapAlloc.KERNEL32(00000008,00000000), ref: 1000F7E5
                                                      • Part of subcall function 1000FA6F: InterlockedExchange.KERNEL32(1002D47D,00000000), ref: 1000FAD0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: AllocExchangeHeapInterlocked
                                                    • String ID:
                                                    • API String ID: 3051970009-0
                                                    • Opcode ID: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                    • Instruction ID: 8cc4e7238832c14419a96c129bec8d194933ec370394a89dab4d823145446c67
                                                    • Opcode Fuzzy Hash: 022b8115eb5ce5199829a80c414696cba4458c1422a7b80e9c996825c196cccc
                                                    • Instruction Fuzzy Hash: 51310270D40209FEFB11DFA0CC02BEDBBB5FB04780F208169F614BA194DBB56A54AB55
                                                    APIs
                                                    • HeapAlloc.KERNEL32(00000008,?,?,10026C94), ref: 1000247B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap
                                                    • String ID:
                                                    • API String ID: 4292702814-0
                                                    • Opcode ID: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                    • Instruction ID: 104a27a5d458cbbbe33f9f96244b29e3d4c33b82fd0089700704125604d1dba2
                                                    • Opcode Fuzzy Hash: 0dd204370fe18862268228c1c8de2b552e2688217c670dbeba92eeddf2ae1a81
                                                    • Instruction Fuzzy Hash: BDE08634D85308B7E610EF40DC03F29BA38E702751F508012FA083A090D6B25A649B87
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                    • Instruction ID: b82dc38e16616ddd987b864122364eac5c1fff58b477e30fd6f02d7e5179368c
                                                    • Opcode Fuzzy Hash: 81006eb9e473d180177001475ccb3f5d85a486848d635e7b77511459b26a50e2
                                                    • Instruction Fuzzy Hash: 85721AB5E40309ABEB00DF94ECC2FDDBBB5EB0C354F644025F604BA296D7B269548B25
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                    • Instruction ID: 551f598227d6dd39184c223fb6ed838a91ab17f663f6174eca7434abf6d8a969
                                                    • Opcode Fuzzy Hash: e69f0c751b4262d556ab7d8e659c133a8de82433dc850d146ab5d350a12c39cd
                                                    • Instruction Fuzzy Hash: 40624CB5E41208BBEF11DFD0EC82BDDBBB5EF08354F204029F604BA291D7B5A9958B14
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                    • Instruction ID: a5955423d14317f839d9afbcb2b9ced9374c1de9beecc9198591da7258e3e5d6
                                                    • Opcode Fuzzy Hash: 6d84f2b69ea6095c90f23bd9b6d1a5a8279a6636e2ec472cfa5718089ee139e8
                                                    • Instruction Fuzzy Hash: 5D32F7B1B412529BFB00CF58ECC0B59B7A5EFA9324F290074E946AF341D379B861DB61
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                    • Instruction ID: 3de84c3e889b2c0bc8bcd444dabd38468fbc88aeca599d708b385d83fa676b17
                                                    • Opcode Fuzzy Hash: f04032a532c17935709fed7173e226e9a954ec38d62b032ac7340ce8b9de18a0
                                                    • Instruction Fuzzy Hash: 8E22F8B2B812529BFB00CB58ECC0B55B7A5EFA5328F290474E9469F341D379F861DB21
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                    • Instruction ID: 2248021ac5db34a560a572e85a1c1eea5c01ad721331a673fc7f7bdbc18de49f
                                                    • Opcode Fuzzy Hash: 060caa462227d063eaf04c7f21a9b9660bb70fdd2aceff3ad377bb009bd70efe
                                                    • Instruction Fuzzy Hash: 90524471D00259CBEB20CFA4D8857DDBBB0FF48344F2180A4D599BB249DB756AA5CF90
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                    • Instruction ID: fa5432d9c06c826fba32fdae05fe74482de4f60f477d8ade94ddac0ef3f6a6e0
                                                    • Opcode Fuzzy Hash: 09f72d9719a13788e266dacaba0ea585b20990d3c1d733c69aa7536c06bb4951
                                                    • Instruction Fuzzy Hash: 602215B5E00309AFEF10CF94DC82BEEBBB0FF09354F204025EA14BA296D77569548B65
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                    • Instruction ID: 15cd058cb613ad93b2deb671447fd93daff6b1ebb966e0e7c4ee6c7ed785d811
                                                    • Opcode Fuzzy Hash: 68d3902ef48eb2b0ea1e98523cf84d220f884a2bc31b4a3403d1743386bbda7f
                                                    • Instruction Fuzzy Hash: BDA160B5E00209ABEB40DEE4DC85FDE7BB8EF08354F144065FA04AA241EB75EB94CB51
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                    • Instruction ID: 14e6b09ccae86c50f75a937e7e6fe01258ff4770b1647dfaac81a6f85d8f69f1
                                                    • Opcode Fuzzy Hash: 7200f153caa90d48a9700c6273f72d88bef546347f9c4dfa1c1c74185b342bdd
                                                    • Instruction Fuzzy Hash: 7A911EB5E0020AABEF10DF94DC85B9E7BB5EF18344F204025FA14BB281D775EB948B65
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                    • Instruction ID: 03d07b771d78d2ead9be031f4861621435dfbb7e08fb32216ea170559a01278e
                                                    • Opcode Fuzzy Hash: f29243b0d0ea20511f4cb1106b1515d46eb23fc76d8db8d1afdd2d9a1039e213
                                                    • Instruction Fuzzy Hash: 078123B5E4025AABEF00CF94ECC1B9DBBB4FF19310F640025E549BB245D775A851CB25
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                    • Instruction ID: fa026d6154386471c9ed67b0d764591261ae5350a3fbb2125f892fb7990afb2f
                                                    • Opcode Fuzzy Hash: bd0974059ae252d5b90eb8f6432f6ddda83af5d10b71b803c1f1bc6c84e1fa75
                                                    • Instruction Fuzzy Hash: 7D7135B5E4125AABEF00DFA8ECC1B9DBBB4FF18310F650025E545BB241DB75A851CB21
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect
                                                    • String ID:
                                                    • API String ID: 1517587568-0
                                                    • Opcode ID: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                    • Instruction ID: 38d14c2f8622cd03f50353335eeab2373c5cbc47d148ebdcbde86e05c5d9d7ee
                                                    • Opcode Fuzzy Hash: 355770622b8ee66c6704d228f7a4cf4399a8d1d5d808ebab5a82fa4d81647a92
                                                    • Instruction Fuzzy Hash: 4E6134B1E40349ABEB10DFE4DC86FEF76F4EB05704F500425F615BA281D7B6AA848B52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ComputeCrc32CreateMutex
                                                    • String ID:
                                                    • API String ID: 2647859408-0
                                                    • Opcode ID: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                    • Instruction ID: 6e8f39effab6ffe8abe8ce8b2f006d743ef601de1a83054572dbacb1371b805f
                                                    • Opcode Fuzzy Hash: fb765643ddb528c65f4c8254d2e67b215b37ca112bcddd59e63a3746b6e22e82
                                                    • Instruction Fuzzy Hash: FA611274E40319EBEB00EF91DC87BEEBB71EB05750F200026F6147A191D7B1AA51DB96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                    • Instruction ID: b3edc6188f52fe0267c65f768a9f0694fa0e22adacd15ae2cea2a64ff053d747
                                                    • Opcode Fuzzy Hash: 177ff9bcddc0062e541eb72a297809aa775245e2e6d8d1f130c2bdda6e790eca
                                                    • Instruction Fuzzy Hash: E4512774E40316ABEB10CF94DC96FAE77B4EF04700F604019FA49BE291D7F59A948B92
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                    • Instruction ID: 3ff1e0272834ebdf1ae0fa1b74ff5d017005019b99e03679453d0ba0a45af6fd
                                                    • Opcode Fuzzy Hash: 999cff3d56ebaad1770f9eebce6b814e78184f0733c47f680aeb2efe81abf9bb
                                                    • Instruction Fuzzy Hash: E2512EB5D0021AABEB00DF94DCC1BAE77B4FF18314F140465E508EB301E775AA50CB62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                    • Instruction ID: 740361c2a2a7975ea98c5d6579f5497acae074faf2527958cbce1f24f1a7fcbb
                                                    • Opcode Fuzzy Hash: 848507941d9fbffb7cbc7b29cbefd203ef99eb4224134117eb04a7a1748b5fdf
                                                    • Instruction Fuzzy Hash: 84516B75E00209EBEB00CF94DC86FAE77F4EB05344F654055F914BE281E776DA948B62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                    • Instruction ID: 6e2a16805fa032cb188a6ab09911055340e312e86faa01d054a0585f1b90ccec
                                                    • Opcode Fuzzy Hash: c551d9ee4e18ac04d199571815a8ce167b17ea29bf87976a5931350147ad1b07
                                                    • Instruction Fuzzy Hash: 14312270D44609EBEF00EF80DC46BAEBB71EB06355F205169FA043A191D3B64A54DF9A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                    • Instruction ID: fcd9660d6a72fe45eefc1d8f4cbc8b5498bd8d2469cb5e857af72b9432f5bd19
                                                    • Opcode Fuzzy Hash: 4f752ba2bd3efe35c0db813093cd95cfd95bebb34e1c0840b79ae46e9a3f7aa2
                                                    • Instruction Fuzzy Hash: F3313575E40308AFEB50DF94DC82B9DBBB4EB0C741F504065F608EB745E7B59A409B52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                    • Instruction ID: 0e6d90bd3a1296b327673a782b8a2de37a0e9d786c9d2f722c0ab1c87383cc98
                                                    • Opcode Fuzzy Hash: bcbbfe027ddbde3ca2b7ee6e7a9b101e6e640faf627c7a0eeba07689440a2c60
                                                    • Instruction Fuzzy Hash: 69317375E40308AFEB40DF94DC82B9EBBB4EB08340F504075E608EB696E3B56A409B52
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                    • Instruction ID: f5bd11c3930f14deff6542fe37b9d91d6d9d9f7f47c674184f68d859604aa839
                                                    • Opcode Fuzzy Hash: 918643da65e37feeb39471fc9b76e24dac407e2b29faf6ea47c3fc6075c6ae67
                                                    • Instruction Fuzzy Hash: 8821F975A04209EFEB41CF90CD82BAE77F8EB05754F244015B908BA181E7B5EAD09B62
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                    • Instruction ID: cb764db9af18425858f0870d561dcf750e8236d090e6b6f48ce3485ee4cf3179
                                                    • Opcode Fuzzy Hash: ef8a370add3d5418976353e0fc23bf6dee6b9d923330f9d60947765b51f42246
                                                    • Instruction Fuzzy Hash: 7E114634845224FBEA11FF90DC42B68BBA1E712345F215067F6042A0B5DBB2ADD6DA42
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                    • Instruction ID: eeae7fc577553641f4f664837c49950aecc16b69e97dd8631aebf4018e73b438
                                                    • Opcode Fuzzy Hash: 37003275f3eaa72a6ef67eca1d876927b20d3cea41f567a5b2a029eb66a1c75e
                                                    • Instruction Fuzzy Hash: FA2137B090060AEAFB10DFA0C844BEEBAB8FB05380F204271F990A6198D7349AD5D754
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                    • Instruction ID: ba505964bce734d70dae5fb9ba97fd24188bee46f8c6b217aecce00d80479512
                                                    • Opcode Fuzzy Hash: 5e64809ee3449bf2a7df32ff2943633b8c15e644a62c7bb0cedcca55993e9baa
                                                    • Instruction Fuzzy Hash: C9112875D00208FBEF00DF90C84579DBBB0EB05345F508069F908AE290DB759B94DB91
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                    • Instruction ID: 8996d56321af788ecdb48f59df6a7f6deac0e56e76c4d4795bf28b9d59f37b7c
                                                    • Opcode Fuzzy Hash: e2f1484a5e89f92b7548bae6589aecaccf6235fa81f97c2c0215c37c853ae1f6
                                                    • Instruction Fuzzy Hash: D3110975D0020DABEB00DFD0DC46BAEBBB8FF04704F104455F914BA190E7B2AB549B91
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                    • Instruction ID: aa05f780bf07b04a9dbad2cba23d858d9fb5007feb3f8ac9aeeac6949bb19c5c
                                                    • Opcode Fuzzy Hash: dea71471854b7794d7273d518db6e4b972dc62c76027c577b271c860ea424262
                                                    • Instruction Fuzzy Hash: 07015335980208FBEF11DFA1DD02BDEBB74EB00350F108022BA146E1A0D772DAA0ABC1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                    • Instruction ID: f86e8bef0b9f5b7b48e3b9b3acc0b6cb1fd06cabc4355fe6e2609782588421e0
                                                    • Opcode Fuzzy Hash: 621178d27eafce4a1d86bdd6d4636c6e0afcccb944ec7a99f9e7a057a9f1ad00
                                                    • Instruction Fuzzy Hash: B401EC7594020CBEEF11DF80DC42FEDBB79EB09740F108051FA046D091D7B29AA5AB95
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                    • Instruction ID: e7353d8a689e469959c960a5bb5359493e28a0ae3a5db89d5c895ffd79e8d98e
                                                    • Opcode Fuzzy Hash: 7397f0f5fb6be8bcaaa4e77a6887201b2645371ef3c2632b50f96f60a1aee293
                                                    • Instruction Fuzzy Hash: 64F04970D00208FBEB10DF90CC06BADBFB0EB01341F204065F9007A1A0D7B6AB94DB85
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                    • Instruction ID: 682ee749917f4e023bc7197140f76a097522797ecf20c1f45cbbd45c019d52a4
                                                    • Opcode Fuzzy Hash: 2d443f961325e826377ab455a3b784cc22cadc769fa486d24d41cd9801f717dc
                                                    • Instruction Fuzzy Hash: 3CF0FE74D44258EBDB14EE90D8057EDBA74E706305F504266EA04AE190D3B18BA4DB96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                    • Instruction ID: 02fc14b9e54e6900d73ffd4e28a19c8708dbe27031dd51c44bf3dba7fdb031ba
                                                    • Opcode Fuzzy Hash: 7cdb49a0a6253429c80267c98a25499fd9d93a71a0b292b5a728f2a2f59ffa35
                                                    • Instruction Fuzzy Hash: ECF05474A00308FBEB21CF94CD81B9CBBB0EF09300F2080E4FE0467381E6B15A509B51
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                    • Instruction ID: bbfaceb90791bb35eed418166a23c42ee1e6653db07919fbe020635ad9369783
                                                    • Opcode Fuzzy Hash: 19f0f76c576cdd84307bd26bd9b5886d4290dca15e1ac3f3f611f9243f0388a9
                                                    • Instruction Fuzzy Hash: B9F03975D00218EBDB00EE90D80ABAEBA78EB15301F100465EA086E190D3B59B54DA96
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                    • Instruction ID: 33dc01a3c2299a3cd355405e5767cb27c6d7fba89f237eed4e622fd5132f0db0
                                                    • Opcode Fuzzy Hash: 07f80700cc5210cda7409edc569743553da25c12f3afe71f335ab42793a68d5e
                                                    • Instruction Fuzzy Hash: 5AE08C34D49308B7D610EF40AC87B28BA35E706701F505056FA043A090E7F2AA649A8A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                    • Instruction ID: 761fadcd4debd2308a54b226b4f8dff580185d7010702b48f65d1b5b1071df53
                                                    • Opcode Fuzzy Hash: 13fe8401390d9f71333325ae1b2cb84fa7ba5aa184835648c676b8c7a690914e
                                                    • Instruction Fuzzy Hash: 66E08C34D45308B7D610EF50EC43B6CBB34E707700F108056FA083A1A0D7B29E60ABCA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                    • Instruction ID: 1fae9ae4253266a87bc96311d46508b5db8f13d56845d8971887a42445dbbd4a
                                                    • Opcode Fuzzy Hash: 989ed4646566f77c2ab72184739a9137b5d7eae5940c08cbaa9d6fc56a31f36c
                                                    • Instruction Fuzzy Hash: 7DD05B70D45218F7DA10EF54AC03B39BB34D707761F205261FB143E1D5D6B25920D5DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                    • Instruction ID: 2a9e0740773b8b6f5e110bd1e2332ab73de667f723c53b2bed2784798aa44a4a
                                                    • Opcode Fuzzy Hash: e24509eb4154e54e63d34a257df7f67858844c9b410712c520ef3551b56a8a9a
                                                    • Instruction Fuzzy Hash: 90B01232125BD44EC1038309C423B11B7ECE300D48F090090D451C7542C14CF610C494
                                                    APIs
                                                    • GetFocus.USER32 ref: 004C43EF
                                                    • GetWindowRect.USER32(?,?), ref: 004C4446
                                                    • GetParent.USER32(?), ref: 004C4456
                                                    • GetParent.USER32(?), ref: 004C4489
                                                    • GlobalSize.KERNEL32(00000000), ref: 004C44D3
                                                    • GlobalLock.KERNEL32(00000000), ref: 004C44DB
                                                    • IsWindow.USER32(?), ref: 004C44F4
                                                    • GetTopWindow.USER32(?), ref: 004C4531
                                                    • GetWindow.USER32(00000000,00000002), ref: 004C454A
                                                    • SetParent.USER32(?,?), ref: 004C4576
                                                    • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C45C1
                                                    • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C45D0
                                                    • GetParent.USER32(?), ref: 004C45E3
                                                    • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C45FC
                                                    • GetWindowLongA.USER32(?,000000F0), ref: 004C4604
                                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C4634
                                                    • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C4642
                                                    • IsWindow.USER32(?), ref: 004C468E
                                                    • GetFocus.USER32 ref: 004C4698
                                                    • SetFocus.USER32(?,00000000), ref: 004C46B0
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004C46BB
                                                    • GlobalFree.KERNEL32(00000000), ref: 004C46C2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
                                                    • String ID:
                                                    • API String ID: 300820980-0
                                                    • Opcode ID: 647a018591bfb8578e089642162e1cb533ddc8dd20299a7c97b7fd5eca86bcad
                                                    • Instruction ID: 3127b644e8a5c869610db6344457f4cc399a41bf09dab9003a4e7af5bce6750b
                                                    • Opcode Fuzzy Hash: 647a018591bfb8578e089642162e1cb533ddc8dd20299a7c97b7fd5eca86bcad
                                                    • Instruction Fuzzy Hash: 7DA168B4204701ABD764DF65CD94F6BBBE9BBC8700F104A1DFA4287391DB78E8058B59
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                    • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                    • wsprintfA.USER32 ref: 10029676
                                                    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                      • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                    • atoi.MSVCRT(?), ref: 100296CB
                                                    • strchr.MSVCRT ref: 10029703
                                                    • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                    • wsprintfA.USER32 ref: 10029739
                                                    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                    • String ID: DLL ERROR
                                                    • API String ID: 3187504500-4092134112
                                                    • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                    • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                    • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                    • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                    APIs
                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                    • strrchr.MSVCRT ref: 10028EC7
                                                    • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                    • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                    • String ID:
                                                    • API String ID: 1380196384-0
                                                    • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                    • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                    • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                    • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00534152,?,Microsoft Visual C++ Runtime Library,00012010,?,007C919C,?,007C91EC,?,?,?,Runtime Error!Program: ), ref: 0053B7E7
                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053B7FF
                                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053B810
                                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053B81D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                    • API String ID: 2238633743-4044615076
                                                    • Opcode ID: cd5a99d3ae21148215eef40b4b3e2c06a136d6a41904b5fced94b3a7088571a7
                                                    • Instruction ID: cd3865fb14679fe404eec5118ea1c91d0cb48bb0d882a318f67504b037250069
                                                    • Opcode Fuzzy Hash: cd5a99d3ae21148215eef40b4b3e2c06a136d6a41904b5fced94b3a7088571a7
                                                    • Instruction Fuzzy Hash: 4D017C71601301ABAB609FB5AC84A6ABFECFA98791B44443EF301C2161DB74C9579B61
                                                    APIs
                                                    • LCMapStringW.KERNEL32(00000000,00000100,007C942C,00000001,00000000,00000000,771AE860,0082BD44,?,?,?,0052FCCD,?,?,?,00000000), ref: 00537596
                                                    • LCMapStringA.KERNEL32(00000000,00000100,007C9428,00000001,00000000,00000000,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 005375B2
                                                    • LCMapStringA.KERNEL32(?,?,?,0052FCCD,?,?,771AE860,0082BD44,?,?,?,0052FCCD,?,?,?,00000000), ref: 005375FB
                                                    • MultiByteToWideChar.KERNEL32(?,0082BD45,?,0052FCCD,00000000,00000000,771AE860,0082BD44,?,?,?,0052FCCD,?,?,?,00000000), ref: 00537633
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052FCCD,?,00000000,?,?,0052FCCD,?), ref: 0053768B
                                                    • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052FCCD,?), ref: 005376A1
                                                    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052FCCD,?), ref: 005376D4
                                                    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052FCCD,?), ref: 0053773C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: String$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 352835431-0
                                                    • Opcode ID: e86e594c4e53d6abf8ae965436166b39bf55b2b00f60a15279198b0530d4aa6d
                                                    • Instruction ID: 7cc9ecddc5018faacf7b363fa2b484acd24767e86601dcff93defb5c3da2efd3
                                                    • Opcode Fuzzy Hash: e86e594c4e53d6abf8ae965436166b39bf55b2b00f60a15279198b0530d4aa6d
                                                    • Instruction Fuzzy Hash: 3C5168B1904A49EFCF228F98DD56EEE7FB5FB48754F204519F911A2160D3328D20EBA0
                                                    APIs
                                                    • CreatePopupMenu.USER32 ref: 004D1A6E
                                                    • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1BD1
                                                    • AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D1C09
                                                    • ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D1C27
                                                    • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1C85
                                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1CAA
                                                    • AppendMenuA.USER32(?,?,?,?), ref: 004D1CF2
                                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1D17
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Menu$Append$Modify$CreatePopup
                                                    • String ID:
                                                    • API String ID: 3846898120-0
                                                    • Opcode ID: 20826babb989f5e736250c80dcd0fa1a275c245e1f715fe9bc7b9d36ffc9fef0
                                                    • Instruction ID: 3e1ae15f5f027956ee5481439c73db12b96aed040bc784fb215d33a7b97caef1
                                                    • Opcode Fuzzy Hash: 20826babb989f5e736250c80dcd0fa1a275c245e1f715fe9bc7b9d36ffc9fef0
                                                    • Instruction Fuzzy Hash: 44D177B1604310ABC714DF18C894A6BBBE4EF99754F04492EF98593361E739EC41CBAA
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0053409B
                                                    • GetStdHandle.KERNEL32(000000F4,007C919C,00000000,00000000,00000000,?), ref: 00534171
                                                    • WriteFile.KERNEL32(00000000), ref: 00534178
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: File$HandleModuleNameWrite
                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                    • API String ID: 3784150691-4022980321
                                                    • Opcode ID: 44d1dd80293e663d5ac1218e8b7adabf97ca11d90153c478b998163af7059214
                                                    • Instruction ID: 1f027e4b3f91af8a4ecf20f334a3eca0d66f92e4be03934789845ddfcab1dbcf
                                                    • Opcode Fuzzy Hash: 44d1dd80293e663d5ac1218e8b7adabf97ca11d90153c478b998163af7059214
                                                    • Instruction Fuzzy Hash: D131B473A00219AFDF20AA60CC8EFDA7BACFB85750F15046AF245DA091E674A9848F51
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %I64d$%lf
                                                    • API String ID: 0-1545097854
                                                    • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                    • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                    • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                    • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052DFAE), ref: 00533A82
                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052DFAE), ref: 00533A96
                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052DFAE), ref: 00533AC2
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052DFAE), ref: 00533AFA
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052DFAE), ref: 00533B1C
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052DFAE), ref: 00533B35
                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052DFAE), ref: 00533B48
                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00533B86
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                    • String ID:
                                                    • API String ID: 1823725401-0
                                                    • Opcode ID: d570133b7d91ad5f6a6293394aad9a64a34e1d88e58a043df96b3a932e071015
                                                    • Instruction ID: 2b1616c7106ceec47167a88201f87a4b633230707dc60d2b1198306b476f87a8
                                                    • Opcode Fuzzy Hash: d570133b7d91ad5f6a6293394aad9a64a34e1d88e58a043df96b3a932e071015
                                                    • Instruction Fuzzy Hash: 6E31E1725082656FD7207FB96CA883FFF9CFB95368F150939F592C3110EA218E848265
                                                    APIs
                                                    • IsWindow.USER32(?), ref: 004C0B8D
                                                    • GetParent.USER32(?), ref: 004C0B9F
                                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C0BC7
                                                    • GetWindowRect.USER32(?,?), ref: 004C0C51
                                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0C74
                                                    • GetWindowRect.USER32(?,?), ref: 004C0E3C
                                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0E5D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Rect$Window$Invalidate$MessageParentSend
                                                    • String ID:
                                                    • API String ID: 236041146-0
                                                    • Opcode ID: 098f9dc97179b873922c3abe21b9eef9e35919f87e2c218f2e93e7561513f00e
                                                    • Instruction ID: e0947b56ca2f04a257385ec4098ac119cb8262acb62baf3dfd04bcfada64dcc0
                                                    • Opcode Fuzzy Hash: 098f9dc97179b873922c3abe21b9eef9e35919f87e2c218f2e93e7561513f00e
                                                    • Instruction Fuzzy Hash: F491D035604306DBCB64EF65C850F6B73E8AF84758F040A1DFD469B292EB38ED018B99
                                                    APIs
                                                    • GetStringTypeW.KERNEL32(00000001,007C942C,00000001,?,771AE860,0082BD44,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 0053AD67
                                                    • GetStringTypeA.KERNEL32(00000000,00000001,007C9428,00000001,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 0053AD81
                                                    • GetStringTypeA.KERNEL32(?,?,?,?,0052FCCD,771AE860,0082BD44,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 0053ADB5
                                                    • MultiByteToWideChar.KERNEL32(?,0082BD45,?,?,00000000,00000000,771AE860,0082BD44,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 0053ADED
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052FCCD,?), ref: 0053AE43
                                                    • GetStringTypeW.KERNEL32(?,?,00000000,0052FCCD,?,?,?,?,?,?,0052FCCD,?), ref: 0053AE55
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: StringType$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 3852931651-0
                                                    • Opcode ID: 0d83e51d5868e8e8016c70a6eade98d1b35a08c1d42d0758f2823775c7e86228
                                                    • Instruction ID: 525e6efb8c9d8dacceed9861c887d0c5f425e2300bb12bc5ead7656633da191f
                                                    • Opcode Fuzzy Hash: 0d83e51d5868e8e8016c70a6eade98d1b35a08c1d42d0758f2823775c7e86228
                                                    • Instruction Fuzzy Hash: AD419872A00619EFCF219F94DC85EEF3FB8FB09B91F104829FA02D2150D7318914ABA1
                                                    APIs
                                                    • TlsGetValue.KERNEL32(00827A84,00827A74,00000000,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549DAA
                                                    • EnterCriticalSection.KERNEL32(00827AA0,00000010,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549DF9
                                                    • LeaveCriticalSection.KERNEL32(00827AA0,00000000,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549E0C
                                                    • LocalAlloc.KERNEL32(00000000,00000004,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549E22
                                                    • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549E34
                                                    • TlsSetValue.KERNEL32(00827A84,00000000), ref: 00549E70
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                    • String ID:
                                                    • API String ID: 4117633390-0
                                                    • Opcode ID: 0c27672eb7e2a69b119a922bc5c51664f563aa7cedc99e4f1f87a0019934c0f2
                                                    • Instruction ID: 09b94d30be2fa56e2af3ae6a8895b8d0937651ee5ae5d43eb24d9b14e3d7152c
                                                    • Opcode Fuzzy Hash: 0c27672eb7e2a69b119a922bc5c51664f563aa7cedc99e4f1f87a0019934c0f2
                                                    • Instruction Fuzzy Hash: CE31BF75100A05EFDB24DF65D89AFA7BBE8FB85359F00C618E416C7280DB70E819CB61
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A8F4
                                                      • Part of subcall function 0054A9E0: lstrlenA.KERNEL32(00000104,00000000,?,0054A924), ref: 0054AA17
                                                    • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A995
                                                    • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A9C2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                    • String ID: .HLP$.INI
                                                    • API String ID: 2421895198-3011182340
                                                    • Opcode ID: b5f670ab424f6d573ced6785778ccfc7733a109d63daecc920e69335f265d809
                                                    • Instruction ID: e309acdd19f7f32f2058438a563518ae08deb733372e08b10e14560455945e81
                                                    • Opcode Fuzzy Hash: b5f670ab424f6d573ced6785778ccfc7733a109d63daecc920e69335f265d809
                                                    • Instruction Fuzzy Hash: F8316FB6844B19AFDB61DB70D889BC6BBFCBF04314F10496AE19AD3151DB70A984CB50
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aea30e3c93261d788dedff7c98bfb86e2458d733cfd34f69ca971d7bc867fbe2
                                                    • Instruction ID: 10a36cc3363beee2afae00e2a34806bd8da0daef00e17cb18d2a0e3ed9a6e149
                                                    • Opcode Fuzzy Hash: aea30e3c93261d788dedff7c98bfb86e2458d733cfd34f69ca971d7bc867fbe2
                                                    • Instruction Fuzzy Hash: 54C1AD759047069FC350DF25C881E6FB7E9EBC5748F40892EF84297211EB38F9068BA6
                                                    APIs
                                                    • GetStartupInfoA.KERNEL32(?), ref: 00533BF7
                                                    • GetFileType.KERNEL32(?,?,00000000), ref: 00533CA2
                                                    • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00533D05
                                                    • GetFileType.KERNEL32(00000000,?,00000000), ref: 00533D13
                                                    • SetHandleCount.KERNEL32 ref: 00533D4A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: FileHandleType$CountInfoStartup
                                                    • String ID:
                                                    • API String ID: 1710529072-0
                                                    • Opcode ID: 38464a502c0b8e53c88d84cb5f93696967751c446be7360dba016f0289055c5c
                                                    • Instruction ID: fac841d1aa36cbe694dfe7fe8808099668c6041950a376ca93d5bf2937fb9e35
                                                    • Opcode Fuzzy Hash: 38464a502c0b8e53c88d84cb5f93696967751c446be7360dba016f0289055c5c
                                                    • Instruction Fuzzy Hash: 465102716006498FC720CB68D898BA5BFE0BF11368F299B6CD592DB2E1D730DE46D750
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Menu$Destroy$AcceleratorTableWindow
                                                    • String ID:
                                                    • API String ID: 1240299919-0
                                                    • Opcode ID: e6e90fd9b84b9717b3859d7d9dafc34c096d08914daa7865720e872bf2ba34f5
                                                    • Instruction ID: ba1ee79579909c9762ed2fcb1c755608a1fe3fc2e43e3ce77f5f630114272844
                                                    • Opcode Fuzzy Hash: e6e90fd9b84b9717b3859d7d9dafc34c096d08914daa7865720e872bf2ba34f5
                                                    • Instruction Fuzzy Hash: 1531A476500206AFC760EF65DC44E6B77A9EF84348F02491DFC4587252EB38E809CBB4
                                                    APIs
                                                    • GetLastError.KERNEL32(00000103,7FFFFFFF,005302C2,00532BD7,00000000,?,?,00000000,00000001), ref: 00533DBE
                                                    • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00533DCC
                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533E18
                                                      • Part of subcall function 005306B6: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 005307AC
                                                    • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533DF0
                                                    • GetCurrentThreadId.KERNEL32 ref: 00533E01
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                    • String ID:
                                                    • API String ID: 2020098873-0
                                                    • Opcode ID: 867b27963f1c94ac78a9d68af50683a92344fcf9b2fa8fc6a189ad7665713013
                                                    • Instruction ID: a077b9cd3ae76f53fca4410c562ffbe4335af381459dad44727e585bb389d531
                                                    • Opcode Fuzzy Hash: 867b27963f1c94ac78a9d68af50683a92344fcf9b2fa8fc6a189ad7665713013
                                                    • Instruction Fuzzy Hash: 05F0F636901B225BC7202B71BC1D71A3F54FF80772F100618F641DA1E0CF248941A694
                                                    APIs
                                                    • wsprintfA.USER32 ref: 10027B78
                                                    • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Messagewsprintf
                                                    • String ID: error$program internal error number is %d. %s
                                                    • API String ID: 300413163-3752934751
                                                    • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                    • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                    • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                    • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                    APIs
                                                    • HeapAlloc.KERNEL32(00000000,00002020,007E9DD0,007E9DD0,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000), ref: 005383CD
                                                    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000), ref: 005383F1
                                                    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000), ref: 0053840B
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000,?), ref: 005384CC
                                                    • HeapFree.KERNEL32(00000000,00000000,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000,?,00000000), ref: 005384E3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual$FreeHeap
                                                    • String ID:
                                                    • API String ID: 714016831-0
                                                    • Opcode ID: 991dbcac537383657eda3a7bde5d71162a55313cd4487680932ac892e478646f
                                                    • Instruction ID: 942abc00e94d758f5b59d3e96f9968313f9d00eb1fb7caf674c9f657b2a72b70
                                                    • Opcode Fuzzy Hash: 991dbcac537383657eda3a7bde5d71162a55313cd4487680932ac892e478646f
                                                    • Instruction Fuzzy Hash: 4D3102B16017169BD734CF24EC44B72BFA0FB48758F108A39F2559BAD0EB74A804CB48
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 004C2E04
                                                    • GetParent.USER32(00000000), ref: 004C2E54
                                                    • IsWindow.USER32(?), ref: 004C2E74
                                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C2EEF
                                                      • Part of subcall function 005444AA: ShowWindow.USER32(?,?,004C0E6C,00000000), ref: 005444B8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Window$ParentShow
                                                    • String ID:
                                                    • API String ID: 2052805569-0
                                                    • Opcode ID: 687432f1f2540717fc2b56ce354572a91960382ebb6e5681addc0a75091fd5d7
                                                    • Instruction ID: 007fa6930f704811530952e320cf4f3433f0727d2dd3ca81dd8391a694185478
                                                    • Opcode Fuzzy Hash: 687432f1f2540717fc2b56ce354572a91960382ebb6e5681addc0a75091fd5d7
                                                    • Instruction Fuzzy Hash: B041A03A6007059BD760DE65CD81FABB3A4AF84754F04452EFD05AB381D7F8EC058BA9
                                                    APIs
                                                    • malloc.MSVCRT ref: 10029FB3
                                                    • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                    • free.MSVCRT ref: 10029FF6
                                                    • free.MSVCRT ref: 1002A014
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: free$Stringmalloc
                                                    • String ID:
                                                    • API String ID: 3576809655-0
                                                    • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                    • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                    • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                    • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                    APIs
                                                    • GetVersion.KERNEL32 ref: 0052DF3E
                                                      • Part of subcall function 00533F98: HeapCreate.KERNEL32(00000000,00001000,00000000,0052DF76,00000001), ref: 00533FA9
                                                      • Part of subcall function 00533F98: HeapDestroy.KERNEL32 ref: 00533FE8
                                                    • GetCommandLineA.KERNEL32 ref: 0052DF9E
                                                    • GetStartupInfoA.KERNEL32(?), ref: 0052DFC9
                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052DFEC
                                                      • Part of subcall function 0052E045: ExitProcess.KERNEL32 ref: 0052E062
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                    • String ID:
                                                    • API String ID: 2057626494-0
                                                    • Opcode ID: e7991187c405a5c657d8012c85f116ae9ec1b913ef2eb4f9835e5783d806f659
                                                    • Instruction ID: b07d7e60d4e6e2a2b43dd792442559cecc635a883b7b7f83cc69d3e872582151
                                                    • Opcode Fuzzy Hash: e7991187c405a5c657d8012c85f116ae9ec1b913ef2eb4f9835e5783d806f659
                                                    • Instruction Fuzzy Hash: 152180B1D047169EDB14AFB5EC5EA6D7FB8FF45700F104419F5019A2A1DB788941CB60
                                                    APIs
                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                    • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                    • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2570163529.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CloseFileHandle$CreateWrite
                                                    • String ID:
                                                    • API String ID: 3602564925-0
                                                    • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                    • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                    • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                    • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                    APIs
                                                    • GetCPInfo.KERNEL32(?,00000000), ref: 00533123
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID: $
                                                    • API String ID: 1807457897-3032137957
                                                    • Opcode ID: d1bb8b184f3352bed80452d50f3c9204763ae379cd3c92ea79c654891f836137
                                                    • Instruction ID: d01e2c7a0cf4411291fadcf202be6b9a69ea7c436b60de62783a0a9f6d851917
                                                    • Opcode Fuzzy Hash: d1bb8b184f3352bed80452d50f3c9204763ae379cd3c92ea79c654891f836137
                                                    • Instruction Fuzzy Hash: C44147351052986EDB268764DD49BFB7FA9FF06700F1404E4E689CB053C3A14B48CB62
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00541A67
                                                      • Part of subcall function 00545AEB: __EH_prolog.LIBCMT ref: 00545AF0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID: Hr|$V5
                                                    • API String ID: 3519838083-287586100
                                                    • Opcode ID: bb30d3bb2469c097396fff6c275649e0d798f2d7b51c463e346cccf888e9f960
                                                    • Instruction ID: 8d0f13ccc79fd192432d8b7166861417e8a4d7044fd187c59576a9ebbbeedcee
                                                    • Opcode Fuzzy Hash: bb30d3bb2469c097396fff6c275649e0d798f2d7b51c463e346cccf888e9f960
                                                    • Instruction Fuzzy Hash: 51F02830A01B05A7D734AB75854ABCE7FF4BB0471CF10863EB106965C2DBB48980C6A4
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00546186
                                                      • Part of subcall function 00545AEB: __EH_prolog.LIBCMT ref: 00545AF0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID: V5 $xk|
                                                    • API String ID: 3519838083-3271888328
                                                    • Opcode ID: 55c499686af89a1c782a1546af300720fb9dfde5505813c1420ac228c28b3b01
                                                    • Instruction ID: 3832c99a36d08ca000ed4c5f5effb8e8baf7ef0ed07abf395d00a7edf5ce4fe9
                                                    • Opcode Fuzzy Hash: 55c499686af89a1c782a1546af300720fb9dfde5505813c1420ac228c28b3b01
                                                    • Instruction Fuzzy Hash: 4AF0F470A00705ABDB24AB65844B7DE7FE4BB04318F10852EB501961C2CA78CA00C745
                                                    APIs
                                                    • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00537CD2,00000000,00000000,00000000,0052F8A3,00000000,00000000,?,00000000,00000000,00000000), ref: 00537F32
                                                    • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00537CD2,00000000,00000000,00000000,0052F8A3,00000000,00000000,?,00000000,00000000,00000000), ref: 00537F66
                                                    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00537F80
                                                    • HeapFree.KERNEL32(00000000,?), ref: 00537F97
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap$FreeVirtual
                                                    • String ID:
                                                    • API String ID: 3499195154-0
                                                    • Opcode ID: 0503dc02ae42ee87c5147a2e0f64eac262c90d96ebe3d0143bade627e7d6f923
                                                    • Instruction ID: 26a2d7347f7df36e28c9919c35e4d4fc5052968074744c83a50aa0b8215e5fd5
                                                    • Opcode Fuzzy Hash: 0503dc02ae42ee87c5147a2e0f64eac262c90d96ebe3d0143bade627e7d6f923
                                                    • Instruction Fuzzy Hash: 2B119E702027409FC7308F59EC45EA27FB2FB95360B148A29F152C75B0D331A846DF04
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00827C38,?,00000000,?,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A), ref: 0054AD17
                                                    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A), ref: 0054AD29
                                                    • LeaveCriticalSection.KERNEL32(00827C38,?,00000000,?,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A), ref: 0054AD32
                                                    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A,00544E41), ref: 0054AD44
                                                      • Part of subcall function 0054AC49: GetVersion.KERNEL32(?,0054ACEC,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A,00544E41,005460E6), ref: 0054AC5C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                    • String ID:
                                                    • API String ID: 1193629340-0
                                                    • Opcode ID: bb8389f35bd2c6a99bde4d361fcdbad8b99677470b8a5d3dc0bbd2e26700a264
                                                    • Instruction ID: 9094060d02c22089b7eb9b224c9fdb09d7a91167286a51c28f094c6f1adee2d4
                                                    • Opcode Fuzzy Hash: bb8389f35bd2c6a99bde4d361fcdbad8b99677470b8a5d3dc0bbd2e26700a264
                                                    • Instruction Fuzzy Hash: FCF0C23544521ADFCB60DF76ECD4996BB6CFB7031BB00443AE205C3021D731A45ADBA6
                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(?,00533D5B,?,0052DF88), ref: 00536638
                                                    • InitializeCriticalSection.KERNEL32(?,00533D5B,?,0052DF88), ref: 00536640
                                                    • InitializeCriticalSection.KERNEL32(?,00533D5B,?,0052DF88), ref: 00536648
                                                    • InitializeCriticalSection.KERNEL32(?,00533D5B,?,0052DF88), ref: 00536650
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2565658784.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.2565563441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566058775.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566579813.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566616704.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566743931.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566772327.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566802404.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566830245.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566859481.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2566887847.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.2567062278.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CriticalInitializeSection
                                                    • String ID:
                                                    • API String ID: 32694325-0
                                                    • Opcode ID: e2aa3fce27fd820a3db75997049886de26e256fa781f425bd74096d6f37e20cb
                                                    • Instruction ID: 5a5bd953fb2e2508b340f0c8fe6f8b42bdec844234ac3582288bdd8684a6eabb
                                                    • Opcode Fuzzy Hash: e2aa3fce27fd820a3db75997049886de26e256fa781f425bd74096d6f37e20cb
                                                    • Instruction Fuzzy Hash: 7CC002779020B4DACB512B56FE45D863F67EB0C2613018167A2045D63086251C60EFD8

                                                    Execution Graph

                                                    Execution Coverage:6.9%
                                                    Dynamic/Decrypted Code Coverage:51.7%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:662
                                                    Total number of Limit Nodes:24
                                                    execution_graph 22348 10027c00 GetProcessHeap HeapReAlloc HeapAlloc 22352 10027008 6 API calls 22353 10029610 FreeLibrary 22414 10026f15 21 API calls 22356 10027218 30 API calls 22357 10026c1e 22 API calls 22358 1001221f 70 API calls 22361 10026e2e 34 API calls 22419 10026f34 34 API calls 22420 10026d35 85 API calls 22364 100249fb 24 API calls 22365 10026c3d 21 API calls 21554 10027c40 21555 10027c86 21554->21555 21556 10027c4d 21554->21556 21557 10027c56 21556->21557 21558 10027c5b 21556->21558 21562 10027ae0 GetModuleHandleA 21557->21562 21558->21555 21560 10027c6b IsBadReadPtr 21558->21560 21560->21555 21561 10027c78 RtlFreeHeap 21560->21561 21561->21555 21562->21558 21926 52f817 21929 52f829 21926->21929 21930 52f826 21929->21930 21932 52f830 21929->21932 21932->21930 21933 52f855 21932->21933 21934 52f882 21933->21934 21937 52f8c5 21933->21937 21940 52f8b0 21934->21940 21951 536654 29 API calls 21934->21951 21936 52f934 RtlAllocateHeap 21947 52f8b7 21936->21947 21939 52f8e7 21937->21939 21937->21940 21938 52f898 21952 537c01 HeapReAlloc HeapAlloc VirtualAlloc HeapFree VirtualAlloc 21938->21952 21954 536654 29 API calls 21939->21954 21940->21936 21940->21947 21942 52f8a3 21953 52f8bc LeaveCriticalSection 21942->21953 21945 52f8ee 21955 5386a4 6 API calls 21945->21955 21947->21932 21948 52f901 21956 52f91b LeaveCriticalSection 21948->21956 21950 52f90e 21950->21940 21950->21947 21951->21938 21952->21942 21953->21940 21954->21945 21955->21948 21956->21950 21983 52df18 GetVersion 22015 533f98 HeapCreate 21983->22015 21985 52df76 21986 52df83 21985->21986 21987 52df7b 21985->21987 22027 533d55 37 API calls 21986->22027 22035 52e045 8 API calls 21987->22035 21991 52df88 21992 52df94 21991->21992 21993 52df8c 21991->21993 22028 533b99 34 API calls 21992->22028 22036 52e045 8 API calls 21993->22036 21997 52df9e GetCommandLineA 22029 533a67 37 API calls 21997->22029 21999 52dfae 22037 53381a 49 API calls 21999->22037 22001 52dfb8 22030 533761 48 API calls 22001->22030 22003 52dfbd 22004 52dfc2 GetStartupInfoA 22003->22004 22031 533709 48 API calls 22004->22031 22006 52dfd4 22007 52dfdd 22006->22007 22008 52dfe6 GetModuleHandleA 22007->22008 22032 53d87e 22008->22032 22012 52e001 22039 533591 36 API calls 22012->22039 22014 52e012 22016 533fb8 22015->22016 22017 533fee 22015->22017 22040 533e50 57 API calls 22016->22040 22017->21985 22019 533fbd 22020 533fc7 22019->22020 22023 533fd4 22019->22023 22041 537865 HeapAlloc 22020->22041 22022 533ff1 22022->21985 22023->22022 22042 5383ac HeapAlloc VirtualAlloc VirtualAlloc VirtualFree HeapFree 22023->22042 22024 533fd1 22024->22022 22026 533fe2 HeapDestroy 22024->22026 22026->22017 22027->21991 22028->21997 22029->21999 22030->22003 22031->22006 22043 5460db 22032->22043 22037->22001 22038 5326c4 32 API calls 22038->22012 22039->22014 22040->22019 22041->22024 22042->22024 22054 544e3c 22043->22054 22051 52dff8 22051->22038 22052 546122 22082 54b11f 68 API calls 22052->22082 22083 549a35 22054->22083 22057 544e4d 22059 549a0f 22057->22059 22058 549a0f 65 API calls 22058->22057 22060 549f97 65 API calls 22059->22060 22061 549a1e 22060->22061 22062 5460ed 22061->22062 22112 54a02c 22061->22112 22064 54a860 SetErrorMode SetErrorMode 22062->22064 22065 549a0f 65 API calls 22064->22065 22066 54a877 22065->22066 22067 549a0f 65 API calls 22066->22067 22068 54a886 22067->22068 22069 54a8ac 22068->22069 22120 54a8c3 22068->22120 22071 549a0f 65 API calls 22069->22071 22072 54a8b1 22071->22072 22073 546105 22072->22073 22139 544e51 22072->22139 22073->22052 22075 53ff3e 22073->22075 22077 53ff53 22075->22077 22080 53ff4a 22075->22080 22076 53ff5b 22163 52dd9c 22076->22163 22077->22076 22079 53ff9a 22077->22079 22170 53fe12 29 API calls 22079->22170 22080->22052 22082->22051 22084 549a0f 65 API calls 22083->22084 22085 549a3a 22084->22085 22088 549f97 22085->22088 22089 549fa0 22088->22089 22090 549fcd TlsGetValue 22088->22090 22091 549fba 22089->22091 22109 549b97 65 API calls 22089->22109 22092 549fe0 22090->22092 22099 549c30 EnterCriticalSection 22091->22099 22094 544e41 22092->22094 22095 549ff3 22092->22095 22094->22057 22094->22058 22110 549d9f 65 API calls 22095->22110 22097 549fcb 22097->22090 22100 549c4f 22099->22100 22101 549c9c GlobalHandle GlobalUnlock GlobalReAlloc 22100->22101 22102 549c89 GlobalAlloc 22100->22102 22108 549d0b 22100->22108 22104 549cbe 22101->22104 22102->22104 22103 549d20 LeaveCriticalSection 22103->22097 22105 549ce7 GlobalLock 22104->22105 22106 549ccc GlobalHandle GlobalLock LeaveCriticalSection 22104->22106 22105->22108 22111 53e121 65 API calls __EH_prolog 22106->22111 22108->22103 22109->22091 22110->22094 22111->22105 22113 54a036 __EH_prolog 22112->22113 22114 54a064 22113->22114 22118 54acdc 6 API calls 22113->22118 22114->22062 22116 54a04d 22119 54ad4c LeaveCriticalSection 22116->22119 22118->22116 22119->22114 22121 549a0f 65 API calls 22120->22121 22122 54a8d6 GetModuleFileNameA 22121->22122 22150 52fee7 29 API calls 22122->22150 22124 54a908 22151 54a9e0 lstrlenA lstrcpynA 22124->22151 22126 54a924 22127 54a93a 22126->22127 22156 53266c 29 API calls 22126->22156 22128 54a974 22127->22128 22152 5459c1 22127->22152 22131 54a98c lstrcpyA 22128->22131 22132 54a9a7 22128->22132 22158 53266c 29 API calls 22131->22158 22135 54a9b6 lstrcatA 22132->22135 22136 54a9d4 22132->22136 22159 53266c 29 API calls 22135->22159 22136->22069 22140 549a0f 65 API calls 22139->22140 22141 544e56 22140->22141 22149 544eae 22141->22149 22160 5497d8 22141->22160 22144 54a02c 7 API calls 22145 544e8c 22144->22145 22146 544e99 22145->22146 22147 549a0f 65 API calls 22145->22147 22148 549f97 65 API calls 22146->22148 22147->22146 22148->22149 22149->22073 22150->22124 22151->22126 22153 549a0f 65 API calls 22152->22153 22154 5459c7 LoadStringA 22153->22154 22155 5459e2 22154->22155 22157 53266c 29 API calls 22155->22157 22156->22127 22157->22128 22158->22132 22159->22136 22161 549f97 65 API calls 22160->22161 22162 544e62 GetCurrentThreadId SetWindowsHookExA 22161->22162 22162->22144 22171 531784 22163->22171 22165 52dda6 EnterCriticalSection 22166 52ddc4 22165->22166 22167 52ddf5 LeaveCriticalSection 22165->22167 22172 53f8fb 29 API calls 22166->22172 22167->22080 22169 52ddd6 22169->22167 22170->22080 22171->22165 22172->22169 22425 4cd100 HeapFree 21563 10027a50 21564 10027a61 21563->21564 21565 10027a8a 21563->21565 21564->21565 21566 10027a64 21564->21566 21581 10026b52 ReleaseMutex 21565->21581 21575 10027aa0 GetProcessHeap 21566->21575 21570 10027a9b 21574 10027a85 21576 10027a6f 21575->21576 21577 10029790 21576->21577 21582 10027474 21577->21582 21580 10026b52 ReleaseMutex 21580->21574 21581->21570 21583 1002747c 21582->21583 21586 10018a96 21583->21586 21585 10027481 21585->21580 21587 10018aab 21586->21587 21590 10018ad3 21587->21590 21589 10018ab0 21589->21585 21591 10018aee 21590->21591 21637 10018eea CreateMutexA 21591->21637 21593 10018af3 21594 10018eea CreateMutexA 21593->21594 21595 10018afd HeapCreate 21594->21595 21596 10018b23 21595->21596 21597 10018b3a HeapCreate 21595->21597 21596->21597 21598 10018b60 21597->21598 21639 1000188f 21598->21639 21600 10018bc0 21645 1000b61e 21600->21645 21602 10018bdc 21603 1000188f 17 API calls 21602->21603 21604 10018c3b 21603->21604 21605 1000b61e 7 API calls 21604->21605 21606 10018c57 21605->21606 21607 1000188f 17 API calls 21606->21607 21608 10018cb6 21607->21608 21609 1000b61e 7 API calls 21608->21609 21610 10018cd2 21609->21610 21611 1000188f 17 API calls 21610->21611 21612 10018d31 21611->21612 21613 1000b61e 7 API calls 21612->21613 21614 10018d4d 21613->21614 21615 1000188f 17 API calls 21614->21615 21616 10018dac 21615->21616 21617 1000b61e 7 API calls 21616->21617 21618 10018dc8 21617->21618 21651 1000710e 21618->21651 21620 10018df2 21661 10018f34 21620->21661 21622 10018dfc 21675 100191e3 21622->21675 21624 10018e06 21687 1000ff10 21624->21687 21626 10018e37 21696 100114f9 21626->21696 21628 10018e43 21629 1000ff10 18 API calls 21628->21629 21630 10018e8f 21629->21630 21631 100114f9 18 API calls 21630->21631 21632 10018e9b 21631->21632 21702 10019f4c 21632->21702 21636 10018ecc 21636->21589 21638 10018f14 21637->21638 21638->21593 21644 100018bd 21639->21644 21640 10001ac2 21713 100283f0 21640->21713 21643 10001ae8 21643->21600 21644->21640 21740 10028090 _CIfmod 21644->21740 21646 1000b631 21645->21646 21752 1000b75c 21646->21752 21648 1000b65c 21649 1000b6cb LdrGetDllHandleEx 21648->21649 21650 1000b6ee 21649->21650 21650->21602 21652 10007121 21651->21652 21653 100071de GetVersionExA 21652->21653 21654 10007273 21653->21654 21775 10027ca0 21654->21775 21656 100072d2 21657 10007362 GetSystemInfo 21656->21657 21660 100074c6 21656->21660 21658 100073f5 21657->21658 21659 10007495 RtlGetNtVersionNumbers 21658->21659 21659->21660 21660->21620 21662 10018f4e 21661->21662 21664 10018f7e 21662->21664 21783 100289c0 21662->21783 21664->21622 21665 10018fad 21666 1000b61e 7 API calls 21665->21666 21667 10019053 21666->21667 21668 1000188f 17 API calls 21667->21668 21669 10019077 21668->21669 21670 10019081 21669->21670 21788 10006051 LdrGetProcedureAddress 21670->21788 21672 1001918a 21672->21664 21673 100190a4 21673->21672 21789 10001d56 IsBadCodePtr 21673->21789 21676 10019205 21675->21676 21677 10019212 21676->21677 21791 100188e1 21676->21791 21677->21624 21679 10019221 21796 100193c2 21679->21796 21681 100192bd 21682 100193c2 38 API calls 21681->21682 21683 10019331 21682->21683 21816 100198cc 25 API calls 21683->21816 21685 1001936a 21817 100198cc 25 API calls 21685->21817 21839 10027f20 21687->21839 21689 1000ff39 21690 10027f20 4 API calls 21689->21690 21691 1000ff58 21690->21691 21692 1000ffe0 RtlComputeCrc32 21691->21692 21693 10010003 21692->21693 21852 10010057 21693->21852 21695 10010034 21695->21626 21697 1001150f 21696->21697 21701 10011520 21696->21701 21698 1000188f 17 API calls 21697->21698 21698->21701 21699 10001d56 IsBadCodePtr 21700 1001161a 21699->21700 21700->21628 21701->21699 21703 10019f74 21702->21703 21704 10018ec7 21702->21704 21875 10019ff3 21703->21875 21712 1001a236 47 API calls 21704->21712 21708 10019fd3 21884 10007fdd 21708->21884 21710 10019fa2 21710->21708 21711 1001a0ce 21 API calls 21710->21711 21711->21710 21712->21636 21714 10028478 21713->21714 21723 1002840f 21713->21723 21715 10028483 21714->21715 21716 10028574 21714->21716 21717 10028489 21715->21717 21718 1002854f sprintf 21715->21718 21719 100285f2 21716->21719 21720 1002857b 21716->21720 21726 10028517 21717->21726 21727 100284f9 21717->21727 21728 1002858f sprintf 21717->21728 21737 1002849e 21717->21737 21739 10028674 21717->21739 21718->21737 21724 1002862a sprintf 21719->21724 21725 100285f9 21719->21725 21721 100285ce sprintf 21720->21721 21722 1002857d 21720->21722 21721->21737 21729 10028584 21722->21729 21730 100285ae sprintf 21722->21730 21723->21739 21741 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21723->21741 21724->21737 21731 10028604 sprintf 21725->21731 21725->21739 21743 10029dc0 6 API calls 21726->21743 21742 10028380 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21727->21742 21728->21737 21729->21728 21729->21739 21730->21737 21731->21737 21735 10028469 21735->21643 21736 10028508 21736->21643 21737->21739 21744 10027bb0 21737->21744 21739->21643 21740->21644 21741->21735 21742->21736 21743->21737 21745 10027bc4 RtlAllocateHeap 21744->21745 21746 10027bb9 GetProcessHeap 21744->21746 21747 10027bf5 21745->21747 21748 10027bd9 MessageBoxA 21745->21748 21746->21745 21747->21739 21751 10027b10 ExitProcess 21748->21751 21750 10027bf2 21750->21747 21751->21750 21753 1000b76f 21752->21753 21756 1000210d 21753->21756 21755 1000b7c1 21755->21648 21757 1000212e 21756->21757 21758 10002149 MultiByteToWideChar 21757->21758 21759 10002178 21758->21759 21761 100021b9 21759->21761 21768 100280c0 21759->21768 21761->21755 21762 100021dc 21763 1000220e MultiByteToWideChar 21762->21763 21764 10002239 21763->21764 21764->21761 21773 100286c0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21764->21773 21766 100022ce 21766->21761 21774 100286f0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21766->21774 21769 100280c9 21768->21769 21770 100280cd 21768->21770 21769->21762 21771 10027bb0 4 API calls 21770->21771 21772 100280d6 21771->21772 21772->21762 21773->21766 21774->21761 21776 10027cb1 21775->21776 21779 10027cb6 21775->21779 21782 10027ae0 GetModuleHandleA 21776->21782 21778 10027d14 21778->21656 21779->21778 21779->21779 21780 10027bb0 4 API calls 21779->21780 21781 10027cf9 21780->21781 21781->21656 21782->21779 21784 100289c9 21783->21784 21785 100289cd 21783->21785 21784->21665 21786 10027bb0 4 API calls 21785->21786 21787 100289d8 21786->21787 21787->21665 21788->21673 21790 10001d82 21789->21790 21790->21672 21792 100289c0 4 API calls 21791->21792 21793 1001890c 21792->21793 21794 10018926 GetSystemDirectoryA 21793->21794 21795 10018944 21794->21795 21795->21679 21797 100193ea 21796->21797 21818 100294c0 21797->21818 21799 10019463 21800 1001947d CopyFileA 21799->21800 21801 100194a0 21800->21801 21825 10028d40 CreateFileA 21801->21825 21803 100194da 21804 10028d40 8 API calls 21803->21804 21805 10019550 21803->21805 21804->21805 21830 10028e50 DeleteFileA 21805->21830 21807 1001959d 21831 10006495 21807->21831 21809 100195b3 21810 100195e3 RtlAllocateHeap 21809->21810 21813 10019832 21809->21813 21811 1001960e 21810->21811 21837 10008edd 26 API calls 21811->21837 21813->21681 21815 1001966e 21838 100094fb 26 API calls 21815->21838 21816->21685 21817->21677 21819 100294d1 GetTempPathA 21818->21819 21820 100294e5 21818->21820 21819->21820 21821 10029543 GetTickCount wsprintfA PathFileExistsA 21820->21821 21821->21821 21822 1002956b 21821->21822 21823 10027bb0 4 API calls 21822->21823 21824 1002957f 21823->21824 21824->21799 21826 10028d64 GetFileSize 21825->21826 21827 10028da9 21825->21827 21828 10027bb0 4 API calls 21826->21828 21827->21803 21829 10028d7d ReadFile CloseHandle 21828->21829 21829->21827 21830->21807 21832 100064ad 21831->21832 21833 1000652f RtlMoveMemory 21832->21833 21836 1000679e 21832->21836 21835 10006669 21833->21835 21834 10027ca0 5 API calls 21834->21836 21835->21834 21836->21809 21837->21815 21838->21813 21840 10027f40 21839->21840 21842 10027f4c 21840->21842 21843 10027f80 21840->21843 21841 10027feb 21841->21689 21860 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21842->21860 21843->21841 21844 10027f9b 21843->21844 21847 10027fc2 21843->21847 21861 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21844->21861 21862 100297e0 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 21847->21862 21848 10027f76 21848->21689 21849 10027fb8 21849->21689 21851 10027fe1 21851->21689 21853 1001006f 21852->21853 21854 100283f0 16 API calls 21853->21854 21855 10010097 21854->21855 21863 10028ad0 21855->21863 21857 100100cc 21870 10028b30 21857->21870 21859 10010173 21859->21695 21860->21848 21861->21849 21862->21851 21864 10028b23 21863->21864 21865 10028ae4 21863->21865 21864->21857 21865->21864 21866 10027bb0 4 API calls 21865->21866 21867 10028afa 21866->21867 21868 10028b05 strncpy 21867->21868 21869 10028b19 21867->21869 21868->21868 21868->21869 21869->21857 21871 10028b91 21870->21871 21872 10028b45 21870->21872 21871->21859 21872->21871 21873 10027bb0 4 API calls 21872->21873 21874 10028b68 21873->21874 21874->21859 21876 1001a00d 21875->21876 21889 1001a031 21876->21889 21879 1001a0ce 21880 10027f20 4 API calls 21879->21880 21881 1001a0f7 21880->21881 21904 1001a199 21881->21904 21883 1001a16d 21883->21710 21885 100280c0 4 API calls 21884->21885 21886 1000800f 21885->21886 21915 10007db8 21886->21915 21888 10008052 21888->21704 21890 1001a047 21889->21890 21891 1001a0a1 21889->21891 21892 1000188f 17 API calls 21890->21892 21899 10004b1b 21891->21899 21894 1001a058 21892->21894 21903 100031b3 6 API calls 21894->21903 21895 10019f88 21895->21704 21895->21879 21897 1001a074 21898 1001a087 InterlockedExchange 21897->21898 21898->21891 21900 10004b3d 21899->21900 21901 10004b2e 21899->21901 21900->21901 21902 10004baa LdrInitializeThunk 21900->21902 21901->21895 21902->21895 21903->21897 21905 1001a1af 21904->21905 21912 1001a209 21904->21912 21907 1000188f 17 API calls 21905->21907 21906 10004b1b LdrInitializeThunk 21908 1001a22b 21906->21908 21909 1001a1c0 21907->21909 21908->21883 21914 100031b3 6 API calls 21909->21914 21911 1001a1ef InterlockedExchange 21911->21912 21912->21906 21913 1001a1dc 21913->21911 21914->21913 21916 10007dce 21915->21916 21917 10007e28 21915->21917 21918 1000188f 17 API calls 21916->21918 21919 10004b1b LdrInitializeThunk 21917->21919 21920 10007ddf 21918->21920 21921 10007e4a 21919->21921 21925 100031b3 6 API calls 21920->21925 21921->21888 21923 10007dfb 21924 10007e0e InterlockedExchange 21923->21924 21924->21917 21925->21923 22369 10027050 62 API calls 22426 10011753 DispatchMessageA CallWindowProcA 22429 54930d 65 API calls __EH_prolog 22280 4ccb10 22283 4ccaf0 22280->22283 22286 4c4840 22283->22286 22285 4ccb01 22287 4c486b 22286->22287 22288 4c4903 22286->22288 22289 4c488a 22287->22289 22294 4c4893 GetProcAddress 22287->22294 22293 4c4931 22288->22293 22309 4c4b9c 22288->22309 22341 52eba8 6 API calls 22288->22341 22338 52eba8 6 API calls 22289->22338 22303 4c495c 22293->22303 22305 4c4a6f 22293->22305 22295 4c48d5 22294->22295 22296 4c48b3 22294->22296 22340 4c4820 35 API calls 22295->22340 22339 4c4c10 70 API calls 22296->22339 22298 4c48ed 22298->22285 22299 4c4a74 LoadLibraryA 22301 4c4a84 GetProcAddress 22299->22301 22299->22305 22301->22305 22302 4c4a3a LoadLibraryA 22304 4c4aca 22302->22304 22310 4c4a47 GetProcAddress 22302->22310 22303->22302 22306 4c4988 22303->22306 22307 4c49b0 22303->22307 22304->22309 22312 4c4adf FreeLibrary 22304->22312 22313 4c4ae6 22304->22313 22305->22299 22305->22304 22308 4c4ab6 FreeLibrary 22305->22308 22311 54031a 32 API calls 22306->22311 22332 54031a 22307->22332 22308->22305 22309->22285 22310->22304 22315 4c4a57 22310->22315 22316 4c4994 LoadLibraryA 22311->22316 22312->22313 22320 4c4b4a 22313->22320 22321 4c4af7 22313->22321 22315->22304 22318 4c49a4 22316->22318 22317 4c49c6 22319 54031a 32 API calls 22317->22319 22318->22307 22318->22310 22322 4c49da LoadLibraryA 22319->22322 22343 4c4c10 70 API calls 22320->22343 22342 4c4c10 70 API calls 22321->22342 22325 4c49ea 22322->22325 22325->22310 22328 4c4a32 22325->22328 22329 54031a 32 API calls 22325->22329 22326 4c4b75 22326->22285 22327 4c4b23 22327->22285 22328->22302 22328->22310 22330 4c4a22 LoadLibraryA 22329->22330 22331 5400d1 22330->22331 22331->22328 22333 540324 __EH_prolog 22332->22333 22334 540343 lstrlenA 22333->22334 22335 54033f 22333->22335 22334->22335 22344 540276 22335->22344 22337 540361 22337->22317 22338->22294 22339->22295 22340->22298 22341->22293 22342->22327 22343->22326 22345 540290 22344->22345 22346 54028a 22344->22346 22345->22337 22347 53ff3e 31 API calls 22346->22347 22347->22345 21957 53fe3b 21960 52f72e 21957->21960 21961 52f808 21960->21961 21962 52f75c 21960->21962 21963 52f7a1 21962->21963 21964 52f766 21962->21964 21966 52f792 21963->21966 21980 536654 29 API calls 21963->21980 21977 536654 29 API calls 21964->21977 21966->21961 21967 52f7fa RtlFreeHeap 21966->21967 21967->21961 21969 52f76d 21970 52f787 21969->21970 21978 5378d8 VirtualFree VirtualFree HeapFree 21969->21978 21979 52f798 LeaveCriticalSection 21970->21979 21971 52f7d9 21982 52f7f0 LeaveCriticalSection 21971->21982 21972 52f7ad 21972->21971 21981 53865f VirtualFree HeapFree VirtualFree 21972->21981 21977->21969 21978->21970 21979->21966 21980->21972 21981->21971 21982->21966 22373 1002706f 46 API calls 22433 10026d73 88 API calls 22434 10026b71 23 API calls 22436 1002572d 23 API calls 22375 10026c7b HeapAlloc 22438 10026f7c 45 API calls 22378 5326d5 32 API calls 22379 1002708e 33 API calls 22442 10027192 59 API calls 22445 10026f9b 23 API calls 22382 10026e99 89 API calls 22173 4cced0 22176 4c68d0 22173->22176 22175 4ccef5 22177 4c690c 22176->22177 22178 4c6910 22177->22178 22180 4c6922 22177->22180 22252 4c4c10 70 API calls 22178->22252 22181 4c6954 22180->22181 22182 4c6acc 22180->22182 22183 4c6a7f 22181->22183 22184 4c6a31 22181->22184 22185 4c69e2 22181->22185 22186 4c6983 22181->22186 22204 4c6c56 22181->22204 22205 4c6b64 22181->22205 22206 4c6d60 22181->22206 22210 4c691d 22181->22210 22187 4c6b10 IsWindow 22182->22187 22201 4c6b26 22182->22201 22192 4c6ab7 22183->22192 22193 4c6aa2 22183->22193 22183->22210 22190 4c6a6a 22184->22190 22191 4c6a55 22184->22191 22184->22210 22188 4c6a1c 22185->22188 22189 4c6a07 22185->22189 22185->22210 22253 52ecf4 29 API calls 22186->22253 22187->22201 22256 4c67d0 51 API calls 22188->22256 22255 4c67d0 51 API calls 22189->22255 22258 4c67d0 51 API calls 22190->22258 22257 4c67d0 51 API calls 22191->22257 22260 4c67d0 51 API calls 22192->22260 22259 4c67d0 51 API calls 22193->22259 22202 4c7139 22201->22202 22203 4c6b52 22201->22203 22214 4c7153 22202->22214 22271 4c4c10 70 API calls 22202->22271 22203->22204 22203->22205 22203->22206 22203->22210 22208 4c6ca5 GetWindowRect 22204->22208 22204->22210 22209 4c6bbd GetWindowRect GetParent 22205->22209 22205->22210 22206->22210 22219 4c6e04 22206->22219 22220 4c6df5 22206->22220 22212 4c6ce4 22208->22212 22213 4c6cc6 22208->22213 22261 541ad4 66 API calls 22209->22261 22210->22175 22211 4c699d 22211->22210 22254 4c67d0 51 API calls 22211->22254 22266 54445b SetWindowPos 22212->22266 22265 54445b SetWindowPos 22213->22265 22216 4c73d0 22214->22216 22234 4c728f 22214->22234 22239 4c7188 22214->22239 22216->22239 22273 4ce910 70 API calls 22216->22273 22224 4c6f8a 22219->22224 22248 4c6e29 22219->22248 22267 5444aa 22220->22267 22221 4c6be0 22225 4c6c00 22221->22225 22262 544342 GetWindowLongA 22221->22262 22270 4c2d90 87 API calls 22224->22270 22264 54441a MoveWindow 22225->22264 22229 4c6bed 22229->22225 22263 54690e GetWindowLongA ScreenToClient ScreenToClient 22229->22263 22230 4c74d3 IsWindow 22230->22210 22232 4c74de 22230->22232 22232->22210 22236 4c74f2 22232->22236 22235 4c72c6 GetStockObject GetObjectA 22234->22235 22237 4c72b5 22234->22237 22235->22237 22274 4c4300 PeekMessageA 22236->22274 22237->22239 22272 4ce910 70 API calls 22237->22272 22239->22210 22239->22230 22243 4c751f 22244 4c4300 67 API calls 22243->22244 22246 4c7526 22244->22246 22245 4c6f71 22245->22210 22247 5444aa ShowWindow 22245->22247 22246->22210 22247->22210 22248->22210 22248->22245 22249 4c6ed4 IsWindow 22248->22249 22249->22245 22251 4c6ee6 22249->22251 22250 4b4fe0 SendMessageA 22250->22251 22251->22248 22251->22250 22252->22210 22253->22211 22254->22210 22255->22210 22256->22210 22257->22210 22258->22210 22259->22210 22260->22210 22261->22221 22262->22229 22263->22225 22264->22210 22265->22210 22266->22210 22268 5444c0 22267->22268 22269 5444b1 ShowWindow 22267->22269 22268->22210 22269->22268 22270->22210 22271->22214 22272->22239 22273->22239 22275 4c431d 22274->22275 22276 4c4343 22274->22276 22275->22276 22277 544e3c 65 API calls 22275->22277 22278 4c4330 PeekMessageA 22275->22278 22279 4c4360 105 API calls 22276->22279 22277->22275 22278->22275 22278->22276 22279->22243 22385 100274b1 10 API calls 22387 1002a472 __CxxFrameHandler 22388 10026eb8 90 API calls 22389 10026cb9 23 API calls 22393 1001a595 ExitProcess GetProcessHeap RtlAllocateHeap MessageBoxA 22452 10026dc5 30 API calls 22455 10026bd6 25 API calls 22456 530d84 RtlUnwind 22398 100270d8 28 API calls 22399 10026cd8 22 API calls 22401 4cce90 70 API calls 22459 10026de4 84 API calls 22463 100291f3 ??3@YAXPAX GetProcessHeap HeapFree 22464 100293f0 ??3@YAXPAX 22406 10026ef6 75 API calls 22407 10026cf7 43 API calls 22408 4cceb0 83 API calls

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 909 100193c2-10019472 call 1002748d * 3 call 100294c0 918 10019474-1001947a call 10027487 909->918 919 1001947d-1001949e CopyFileA 909->919 918->919 921 100194a0-100194b4 call 10027499 919->921 922 100194b7-100194c3 919->922 921->922 925 100194c5 922->925 926 100194ca-100194e9 call 10028d40 922->926 925->926 930 100194f4-10019504 926->930 931 100194eb-100194f1 call 10027487 926->931 933 10019506 930->933 934 1001950b-10019525 call 10028000 930->934 931->930 933->934 938 1001952b-10019539 934->938 939 1001956e-10019586 call 1000241a 934->939 941 10019540-1001955f call 10028d40 938->941 942 1001953b 938->942 945 10019588 939->945 946 1001958d-100195b5 call 10028e50 call 10006495 939->946 949 10019561-10019567 call 10027487 941->949 950 1001956a-1001956b 941->950 942->941 945->946 956 100195d6 946->956 957 100195bb-100195c9 946->957 949->950 950->939 959 100195db-100195dd 956->959 957->956 958 100195cf-100195d4 957->958 958->959 960 100195e3-1001960c RtlAllocateHeap 959->960 961 10019832-10019840 959->961 962 10019625-10019688 call 10007b67 call 1002748d call 10008edd call 10027487 960->962 963 1001960e-10019622 call 10027499 960->963 967 10019842-10019848 call 10027487 961->967 968 1001984b-10019850 961->968 995 10019689-10019691 962->995 963->962 967->968 972 10019852-10019858 call 10027487 968->972 973 1001985b-10019882 call 10027487 * 2 968->973 972->973 985 10019895 973->985 986 10019884 973->986 989 1001989b-100198bb call 10027487 * 2 985->989 990 100198bd-100198c9 call 10027487 985->990 988 10019886-1001988a 986->988 992 10019891-10019893 988->992 993 1001988c-1001988f 988->993 989->990 992->985 993->988 998 10019822-1001982d call 100094fb 995->998 999 10019697-100196a5 call 10001000 995->999 998->961 1006 100196a7-100196bb call 10027499 999->1006 1007 100196be-100196c2 999->1007 1006->1007 1009 100196c4-100196d8 call 10027499 1007->1009 1010 100196db-10019736 call 10001b27 call 10001000 1007->1010 1009->1010 1018 10019738-1001974c call 10027499 1010->1018 1019 1001974f-10019753 1010->1019 1018->1019 1020 10019755-10019769 call 10027499 1019->1020 1021 1001976c-100197c7 call 10001b27 call 10001000 1019->1021 1020->1021 1030 100197e0-100197e4 1021->1030 1031 100197c9-100197dd call 10027499 1021->1031 1033 100197e6-100197fa call 10027499 1030->1033 1034 100197fd-1001981d call 10007b67 1030->1034 1031->1030 1033->1034 1034->995
                                                    APIs
                                                      • Part of subcall function 100294C0: GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                      • Part of subcall function 100294C0: GetTickCount.KERNEL32 ref: 10029543
                                                      • Part of subcall function 100294C0: wsprintfA.USER32 ref: 10029558
                                                      • Part of subcall function 100294C0: PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                    • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 10019491
                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000000,00000001,?,?,?,00000000), ref: 100195FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: FilePath$AllocateCopyCountExistsHeapTempTickwsprintf
                                                    • String ID: @
                                                    • API String ID: 183890193-2766056989
                                                    • Opcode ID: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                    • Instruction ID: 886d6a9a19e72094fdb0421fea6300c5803c3cbfa718e8e798f15b8255d4c358
                                                    • Opcode Fuzzy Hash: 094b6bc326079ddd2d965c8e3793aa750dede3325ae0d73e81acd5dd6e2b6923
                                                    • Instruction Fuzzy Hash: 26D142B5E40209ABEB01DFD4DCC2F9EB7B4FF18704F540065F604BA282E776A9548B66

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1055 1000710e-10007271 call 1002748d * 5 GetVersionExA 1066 10007273-10007287 call 10027499 1055->1066 1067 1000728a-100072e2 call 10027ca0 1055->1067 1066->1067 1072 100072f3-100072f9 1067->1072 1073 100072e4 1067->1073 1075 10007300-1000734b call 10027487 1072->1075 1076 100072fb 1072->1076 1074 100072e6-100072ea 1073->1074 1077 100072f1 1074->1077 1078 100072ec-100072ef 1074->1078 1081 10007351-100073f3 call 1002748d GetSystemInfo 1075->1081 1082 100077ad-100077b2 1075->1082 1076->1075 1077->1072 1078->1074 1088 100073f5-10007409 call 10027499 1081->1088 1089 1000740c-100074c4 call 10027487 RtlGetNtVersionNumbers 1081->1089 1083 100077b7-100077f1 call 10027487 * 4 1082->1083 1088->1089 1096 100074c6-100074da call 10027499 1089->1096 1097 100074dd-10007520 1089->1097 1096->1097 1100 10007552-10007556 1097->1100 1101 10007526-1000752a 1097->1101 1107 10007630-10007634 1100->1107 1108 1000755c-10007560 1100->1108 1104 10007530-10007534 1101->1104 1105 1000754d 1101->1105 1111 10007546 1104->1111 1112 1000753a-10007541 1104->1112 1114 100077a5-100077a8 1105->1114 1109 1000778a-1000778e 1107->1109 1110 1000763a-1000763e 1107->1110 1115 10007591-10007595 1108->1115 1116 10007566-10007574 1108->1116 1109->1114 1121 10007794-10007798 1109->1121 1119 10007650-10007654 1110->1119 1120 10007644-1000764b 1110->1120 1111->1105 1112->1105 1114->1083 1117 100075c6-100075ca 1115->1117 1118 1000759b-100075a9 1115->1118 1122 10007584 1116->1122 1123 1000757a-1000757f 1116->1123 1128 100075d0-100075de 1117->1128 1129 100075fb-100075ff 1117->1129 1124 100075b9 1118->1124 1125 100075af-100075b4 1118->1125 1126 10007785 1119->1126 1127 1000765a-1000766f 1119->1127 1120->1126 1121->1114 1130 1000779e 1121->1130 1131 10007589-1000758c 1122->1131 1123->1131 1133 100075be-100075c1 1124->1133 1125->1133 1126->1114 1141 10007671-10007685 call 10027499 1127->1141 1142 10007688-1000768f 1127->1142 1134 100075e4-100075e9 1128->1134 1135 100075ee 1128->1135 1132 1000762b 1129->1132 1136 10007605-10007613 1129->1136 1130->1114 1131->1132 1132->1114 1133->1132 1138 100075f3-100075f6 1134->1138 1135->1138 1139 10007623 1136->1139 1140 10007619-1000761e 1136->1140 1138->1132 1143 10007628 1139->1143 1140->1143 1141->1142 1145 100076a1-100076a5 1142->1145 1146 10007695-1000769c 1142->1146 1143->1132 1148 100076c7 1145->1148 1149 100076ab-100076ba 1145->1149 1146->1126 1150 100076cc-100076ce 1148->1150 1149->1148 1151 100076c0-100076c5 1149->1151 1152 100076e0-1000771d call 10028950 1150->1152 1153 100076d4-100076db 1150->1153 1151->1150 1156 10007723-1000772a 1152->1156 1157 1000772f-1000776c call 10028950 1152->1157 1153->1126 1156->1126 1160 10007772-10007779 1157->1160 1161 1000777e 1157->1161 1160->1126 1161->1126
                                                    APIs
                                                    • GetVersionExA.KERNEL32(00000000,10006DE0), ref: 10007264
                                                    • GetSystemInfo.KERNEL32(00000000,?), ref: 100073E6
                                                    • RtlGetNtVersionNumbers.NTDLL(?,?,00000000), ref: 100074B7
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Version$InfoNumbersSystem
                                                    • String ID:
                                                    • API String ID: 995872648-0
                                                    • Opcode ID: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                    • Instruction ID: 6910099e4755c4c9484fada616f008788a9246664730439cfdd765e490be93a4
                                                    • Opcode Fuzzy Hash: 4db5fb4a3d4e00142a26ff1c95db703d9d4110d6a3e51e96ae052a8b9dbbdf6b
                                                    • Instruction Fuzzy Hash: 001225B5E40246DBFB00CFA8DC81799B7F0FF19364F290065E909AB345E379A951CB62

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1162 10007fdd-1000801e call 100280c0 1165 10008020-10008026 call 10027487 1162->1165 1166 10008029-10008059 call 1000241a call 10007db8 1162->1166 1165->1166 1173 10008098-1000809d 1166->1173 1174 1000805f-10008063 1166->1174 1175 100080a8-100080ab 1173->1175 1176 1000809f-100080a5 call 10027487 1173->1176 1174->1173 1177 10008069-1000806c 1174->1177 1176->1175 1180 10008075-1000807c 1177->1180 1181 10008095 1180->1181 1182 1000807e-10008092 call 10027499 1180->1182 1181->1173 1182->1181
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID: `+vw
                                                    • API String ID: 3535843008-2575219697
                                                    • Opcode ID: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                    • Instruction ID: f7734d6dfd281f4cec539f69a8a4743609fe5589cfe20e3980177d77de103c32
                                                    • Opcode Fuzzy Hash: 76ebdb1f9ae7fad4396e4606b060dc1f1c005ed102ca8efddb9a9d5d028a9210
                                                    • Instruction Fuzzy Hash: 92112EB5D40308BBEB50DFE0DC86B9DBBB8EF05340F108069E6447A281D7B66B588B91

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1185 10018ad3-10018b21 call 10018eea * 2 HeapCreate 1191 10018b23-10018b37 call 10027499 1185->1191 1192 10018b3a-10018b5e HeapCreate 1185->1192 1191->1192 1193 10018b60-10018b74 call 10027499 1192->1193 1194 10018b77-10018b8e call 10001000 1192->1194 1193->1194 1201 10018b90-10018ba4 call 10027499 1194->1201 1202 10018ba7-10018bc8 call 1000188f 1194->1202 1201->1202 1207 10018bd3-10018be4 call 1000b61e 1202->1207 1208 10018bca-10018bd0 call 10027487 1202->1208 1213 10018be6-10018bec call 10027487 1207->1213 1214 10018bef-10018c09 call 10001000 1207->1214 1208->1207 1213->1214 1219 10018c22-10018c43 call 1000188f 1214->1219 1220 10018c0b-10018c1f call 10027499 1214->1220 1225 10018c45-10018c4b call 10027487 1219->1225 1226 10018c4e-10018c5f call 1000b61e 1219->1226 1220->1219 1225->1226 1231 10018c61-10018c67 call 10027487 1226->1231 1232 10018c6a-10018c84 call 10001000 1226->1232 1231->1232 1237 10018c86-10018c9a call 10027499 1232->1237 1238 10018c9d-10018cbe call 1000188f 1232->1238 1237->1238 1243 10018cc0-10018cc6 call 10027487 1238->1243 1244 10018cc9-10018cda call 1000b61e 1238->1244 1243->1244 1249 10018ce5-10018cff call 10001000 1244->1249 1250 10018cdc-10018ce2 call 10027487 1244->1250 1255 10018d01-10018d15 call 10027499 1249->1255 1256 10018d18-10018d39 call 1000188f 1249->1256 1250->1249 1255->1256 1261 10018d44-10018d55 call 1000b61e 1256->1261 1262 10018d3b-10018d41 call 10027487 1256->1262 1267 10018d60-10018d7a call 10001000 1261->1267 1268 10018d57-10018d5d call 10027487 1261->1268 1262->1261 1273 10018d93-10018db4 call 1000188f 1267->1273 1274 10018d7c-10018d90 call 10027499 1267->1274 1268->1267 1279 10018db6-10018dbc call 10027487 1273->1279 1280 10018dbf-10018dd0 call 1000b61e 1273->1280 1274->1273 1279->1280 1285 10018dd2-10018dd8 call 10027487 1280->1285 1286 10018ddb-10018e4b call 10006453 call 1000710e call 10018f34 call 100191e3 call 10019edc call 1000ff10 call 100114f9 1280->1286 1285->1286 1303 10018e56-10018ea3 call 10019edc call 1000ff10 call 100114f9 1286->1303 1304 10018e4d-10018e53 call 10027487 1286->1304 1313 10018ea5-10018eab call 10027487 1303->1313 1314 10018eae-10018ec2 call 10019f4c 1303->1314 1304->1303 1313->1314 1318 10018ec7-10018ee9 call 1001a236 1314->1318
                                                    APIs
                                                      • Part of subcall function 10018EEA: CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 10018B14
                                                    • HeapCreate.KERNEL32(00040000,00000000,00000000), ref: 10018B51
                                                      • Part of subcall function 1000FF10: RtlComputeCrc32.NTDLL(00000000,00000001,00000000), ref: 1000FFF4
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Create$Heap$ComputeCrc32Mutex
                                                    • String ID:
                                                    • API String ID: 3311811139-0
                                                    • Opcode ID: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                    • Instruction ID: 66fc46a93c8d8d126791b072413d70454ec7258938680aadaad6e332e46fbde2
                                                    • Opcode Fuzzy Hash: 9a351e1243e265833069ffbda416112d0eb9d2fee80185d79aac6a55443b64bb
                                                    • Instruction Fuzzy Hash: B8B10CB5E00309ABEB10EFE4DCC2B9E77B8FB14340F504465E618EB246E775AB448B52
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(1002D511,00000000), ref: 1001A1FA
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ExchangeInterlocked
                                                    • String ID:
                                                    • API String ID: 367298776-0
                                                    • Opcode ID: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                    • Instruction ID: 8b03ad6f155dc1ffa3c952e4c0ec4cfc85cd69f7d418c3f1b48ca094e25b3ce2
                                                    • Opcode Fuzzy Hash: fdea1bf63a2f3fbf83a69b9166c7a3f248e31975ffa5506ce454b9bb650ff928
                                                    • Instruction Fuzzy Hash: EF012975D04319A7DB00EFD49C82F9E77B9EB05340F404066E50466151D775DB949B92
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000000,00000000,?,10018AF3), ref: 10018F05
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID:
                                                    • API String ID: 1964310414-0
                                                    • Opcode ID: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                    • Instruction ID: b5123a5caac3b4bfff5d25017b882f5dc189a7960400f6af0356bf2a3b5a090f
                                                    • Opcode Fuzzy Hash: 8e252e712528da66640590098dfb9258a448d5e56a455f4eb85160379f0f4c55
                                                    • Instruction Fuzzy Hash: 49E01270E95308F7E120AA505D03B29B635D70AB11F609055BE083E1C1D5B19A156696

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 412 4c4840-4c4865 413 4c486b-4c4876 412->413 414 4c4903-4c4912 412->414 415 4c4878-4c4882 413->415 416 4c4885-4c4888 413->416 417 4c4bbf-4c4bd0 414->417 418 4c4918-4c4928 414->418 415->416 419 4c489d 416->419 420 4c488a-4c489b call 52eba8 416->420 421 4c4939-4c4956 call 4b1e40 418->421 422 4c492a-4c4934 call 52eba8 418->422 425 4c489f-4c48b1 GetProcAddress 419->425 420->425 434 4c495c-4c496f call 52fbc0 421->434 435 4c4a6f 421->435 422->421 429 4c48e6-4c4900 call 4c4820 425->429 430 4c48b3-4c48e1 call 4cdfd0 call 4c4c10 call 5400d1 425->430 430->429 445 4c4a3a-4c4a41 LoadLibraryA 434->445 446 4c4975-4c4986 434->446 437 4c4a74-4c4a82 LoadLibraryA 435->437 442 4c4abf-4c4ac8 437->442 443 4c4a84-4c4a92 GetProcAddress 437->443 442->437 447 4c4aca-4c4ad5 442->447 448 4c4aaa-4c4ab4 443->448 449 4c4a94-4c4a9f 443->449 445->447 457 4c4a47-4c4a55 GetProcAddress 445->457 452 4c4988-4c49a6 call 54031a LoadLibraryA call 5400d1 446->452 453 4c49b0-4c49fd call 54031a * 2 LoadLibraryA call 5400d1 * 2 446->453 455 4c4b9c-4c4b9e 447->455 456 4c4adb-4c4add 447->456 448->447 454 4c4ab6-4c4abd FreeLibrary 448->454 449->448 450 4c4aa1-4c4aa7 449->450 450->448 452->457 478 4c49ac 452->478 453->457 490 4c49ff-4c4a10 453->490 454->442 462 4c4bb6-4c4bbc 455->462 463 4c4ba0-4c4bab 455->463 459 4c4adf-4c4ae0 FreeLibrary 456->459 460 4c4ae6-4c4af5 call 4b1e40 456->460 457->447 464 4c4a57-4c4a62 457->464 459->460 474 4c4b4a-4c4b99 call 4cdfd0 call 4c4c10 call 5400d1 460->474 475 4c4af7-4c4b47 call 4cdfd0 call 4c4c10 call 5400d1 460->475 462->417 463->462 468 4c4bad-4c4bb3 463->468 464->447 469 4c4a64-4c4a6d 464->469 468->462 469->447 478->453 494 4c4a32-4c4a34 490->494 495 4c4a12-4c4a2d call 54031a LoadLibraryA call 5400d1 490->495 494->457 498 4c4a36 494->498 495->494 498->445
                                                    APIs
                                                    • GetProcAddress.KERNEL32(00000000,007E85F4), ref: 004C48A7
                                                    • LoadLibraryA.KERNEL32(?,?,007F8FD8), ref: 004C4997
                                                    • LoadLibraryA.KERNEL32(?,?), ref: 004C49DD
                                                    • LoadLibraryA.KERNEL32(?,?,007F8EE0,?), ref: 004C4A25
                                                    • LoadLibraryA.KERNEL32(?), ref: 004C4A3B
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004C4A4D
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004C4AE0
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Library$Load$AddressProc$Free
                                                    • String ID:
                                                    • API String ID: 3120990465-0
                                                    • Opcode ID: 8298aec99bd1bcd66cc67a374f409ded6481a5c15f9d9f2f8c1356aa279f3409
                                                    • Instruction ID: 21065c7f70eb81fa8e5161ede46cc0628d0d0314e5cbb0618be4e4c6caa86c13
                                                    • Opcode Fuzzy Hash: 8298aec99bd1bcd66cc67a374f409ded6481a5c15f9d9f2f8c1356aa279f3409
                                                    • Instruction Fuzzy Hash: 21A1E079A00702ABD350DF24C8A5FABB7A4FFD8314F044A2EF91597341DB38E9058BA5

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 501 549c30-549c4d EnterCriticalSection 502 549c5c-549c61 501->502 503 549c4f-549c56 501->503 505 549c63-549c66 502->505 506 549c7e-549c87 502->506 503->502 504 549d15-549d18 503->504 509 549d20-549d41 LeaveCriticalSection 504->509 510 549d1a-549d1d 504->510 511 549c69-549c6c 505->511 507 549c9c-549cb8 GlobalHandle GlobalUnlock GlobalReAlloc 506->507 508 549c89-549c9a GlobalAlloc 506->508 512 549cbe-549cca 507->512 508->512 510->509 513 549c76-549c78 511->513 514 549c6e-549c74 511->514 515 549ce7-549d14 GlobalLock call 531840 512->515 516 549ccc-549ce2 GlobalHandle GlobalLock LeaveCriticalSection call 53e121 512->516 513->504 513->506 514->511 514->513 515->504 516->515
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00827AA0,00827A74,00000000,?,00827A84,00827A84,00549FCB,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6,?,00000000), ref: 00549C3F
                                                    • GlobalAlloc.KERNEL32(00002002,00000000,?,?,00827A84,00827A84,00549FCB,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6,?,00000000), ref: 00549C94
                                                    • GlobalHandle.KERNEL32(00C8C7C8), ref: 00549C9D
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00549CA6
                                                    • GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 00549CB8
                                                    • GlobalHandle.KERNEL32(00C8C7C8), ref: 00549CCF
                                                    • GlobalLock.KERNEL32(00000000), ref: 00549CD6
                                                    • LeaveCriticalSection.KERNEL32(0052DFF8,?,?,00827A84,00827A84,00549FCB,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6,?,00000000), ref: 00549CDC
                                                    • GlobalLock.KERNEL32(00000000), ref: 00549CEB
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00549D34
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                    • String ID:
                                                    • API String ID: 2667261700-0
                                                    • Opcode ID: 799b0489a169ba97f8eae9c6e1fac84caeeaf80516c7be6522846b83e129c017
                                                    • Instruction ID: 1e20485e5a3be9b87e3b9325e2dd40b70e30227bc50ccc22cd6acad8277f0d69
                                                    • Opcode Fuzzy Hash: 799b0489a169ba97f8eae9c6e1fac84caeeaf80516c7be6522846b83e129c017
                                                    • Instruction Fuzzy Hash: 963181756007069FDB249F28DC9AA6BBBE9FB84305F010A2DF456C7661E771EC48CB14

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 886 100294c0-100294cf 887 100294d1-100294e3 GetTempPathA 886->887 888 100294eb-10029511 886->888 889 10029513-1002952c 887->889 890 100294e5-100294e9 887->890 888->889 891 10029531-1002953d 889->891 892 1002952e 889->892 890->889 893 10029543-10029569 GetTickCount wsprintfA PathFileExistsA 891->893 892->891 893->893 894 1002956b-100295b3 call 10027bb0 893->894
                                                    APIs
                                                    • GetTempPathA.KERNEL32(00000104,00000000,00000000,1002C201,00000264), ref: 100294DB
                                                    • GetTickCount.KERNEL32 ref: 10029543
                                                    • wsprintfA.USER32 ref: 10029558
                                                    • PathFileExistsA.SHLWAPI(?), ref: 10029565
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Path$CountExistsFileTempTickwsprintf
                                                    • String ID: %s%x.tmp
                                                    • API String ID: 3843276195-78920241
                                                    • Opcode ID: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                    • Instruction ID: 19c0f5fbbc49b21063d5a4c1e69b6cb6cd736cc94922c53957f775166a9e82b6
                                                    • Opcode Fuzzy Hash: 2e5e0e6654714d979119431959421d409a367cea90acc93e1422cbe6f956d51b
                                                    • Instruction Fuzzy Hash: 9521F6352046144FE329D638AC526EB77D5FBC4360F948A2DF9AA831C0DF74DD058791

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 897 10027bb0-10027bb7 898 10027bc4-10027bd7 RtlAllocateHeap 897->898 899 10027bb9-10027bbf GetProcessHeap 897->899 900 10027bf5-10027bf8 898->900 901 10027bd9-10027bf2 MessageBoxA call 10027b10 898->901 899->898 901->900
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                    • RtlAllocateHeap.NTDLL(00C80000,00000008,?,?,10028674), ref: 10027BCD
                                                    • MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocateMessageProcess
                                                    • String ID: error
                                                    • API String ID: 2992861138-1574812785
                                                    • Opcode ID: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                    • Instruction ID: 89e5899bf0a8eaacd33e9d23978464e8beef4f738102cb453b69e42e0a268b90
                                                    • Opcode Fuzzy Hash: 49d87085d1c515788fcd29673903f8628afbe878102aee32d5879f9984d40736
                                                    • Instruction Fuzzy Hash: 4DE0DF71A01A31ABE322EB64BC88F4B7698EF05B41F910526F608E2240EF20AC019791

                                                    Control-flow Graph

                                                    APIs
                                                    • CreateFileA.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000020,00000000,00000000,100149DF,00000001,00000000,00000000,80000004,00000000,00000000,00000000), ref: 10028D55
                                                    • GetFileSize.KERNEL32(00000000,?,1002C201,00000268,?,00000000,00000000,00000000,00000000), ref: 10028D6C
                                                      • Part of subcall function 10027BB0: GetProcessHeap.KERNEL32(10028674), ref: 10027BB9
                                                      • Part of subcall function 10027BB0: RtlAllocateHeap.NTDLL(00C80000,00000008,?,?,10028674), ref: 10027BCD
                                                      • Part of subcall function 10027BB0: MessageBoxA.USER32(00000000,1002D884,error,00000010), ref: 10027BE6
                                                    • ReadFile.KERNEL32(00000000,00000008,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D98
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 10028D9F
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: File$Heap$AllocateCloseCreateHandleMessageProcessReadSize
                                                    • String ID:
                                                    • API String ID: 749537981-0
                                                    • Opcode ID: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                    • Instruction ID: 3e7a6e3e6917c5c906f0044d82f650070526e8034b550c75b50b94cd4b2286ca
                                                    • Opcode Fuzzy Hash: e30a59cac924785109d668b76131e4edff7319d033e682f57e2deec09e2c1d43
                                                    • Instruction Fuzzy Hash: 31F044762003107BE3218B64DCC9F9B77ACEB84B51F204A1DF616961D0E670A5458761

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1040 544e51-544e5a call 549a0f 1043 544e5c-544e87 call 5497d8 GetCurrentThreadId SetWindowsHookExA call 54a02c 1040->1043 1044 544eaf 1040->1044 1048 544e8c-544e92 1043->1048 1049 544e94-544e99 call 549a0f 1048->1049 1050 544e9f-544eae call 549f97 1048->1050 1049->1050 1050->1044
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00544E64
                                                    • SetWindowsHookExA.USER32(000000FF,V`H,00000000,00000000), ref: 00544E74
                                                      • Part of subcall function 0054A02C: __EH_prolog.LIBCMT ref: 0054A031
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CurrentH_prologHookThreadWindows
                                                    • String ID: V`H
                                                    • API String ID: 2183259885-1425837005
                                                    • Opcode ID: 4e8c846c88438d327b1b1fe028fe1ed1fa4be22cc98e586880b002200798e337
                                                    • Instruction ID: 7ece4aa872334b0863167523b191370d5eb7394b99c0efca3bcf1e8474a9c863
                                                    • Opcode Fuzzy Hash: 4e8c846c88438d327b1b1fe028fe1ed1fa4be22cc98e586880b002200798e337
                                                    • Instruction Fuzzy Hash: 37F0E5328847517FDB203BB0A80FBDA3E94BB80329F050654B112A64E1EB604C84C752

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1323 54a860-54a88b SetErrorMode * 2 call 549a0f * 2 1328 54a8ac-54a8b6 call 549a0f 1323->1328 1329 54a88d-54a8a7 call 54a8c3 1323->1329 1333 54a8bd-54a8c0 1328->1333 1334 54a8b8 call 544e51 1328->1334 1329->1328 1334->1333
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00546105,00000000,00000000,00000000,00000000,?,00000000,?,0053D893,00000000,00000000,00000000,00000000,0052DFF8), ref: 0054A869
                                                    • SetErrorMode.KERNEL32(00000000,?,00000000,?,0053D893,00000000,00000000,00000000,00000000,0052DFF8,00000000), ref: 0054A870
                                                      • Part of subcall function 0054A8C3: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A8F4
                                                      • Part of subcall function 0054A8C3: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A995
                                                      • Part of subcall function 0054A8C3: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A9C2
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
                                                    • String ID:
                                                    • API String ID: 3389432936-0
                                                    • Opcode ID: 82fee41d036530f9663fbc097676b7cedf462ea0941c4c5d27f505813dd9e2c3
                                                    • Instruction ID: 34eb22a69e3933a8a0abdafa6ca4a4334125a0c20b9b493cb25cd9d61432d86b
                                                    • Opcode Fuzzy Hash: 82fee41d036530f9663fbc097676b7cedf462ea0941c4c5d27f505813dd9e2c3
                                                    • Instruction Fuzzy Hash: D4F037719943518FD714BF64D449B8A7FA8BF88714F05848AF4449B2A2CB70D841CF56

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1336 4c4300-4c431b PeekMessageA 1337 4c431d-4c4322 1336->1337 1338 4c4343-4c4347 1336->1338 1337->1338 1339 4c4324-4c4341 call 544e3c PeekMessageA 1337->1339 1339->1337 1339->1338
                                                    APIs
                                                    • PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004C4317
                                                    • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004C433D
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: MessagePeek
                                                    • String ID:
                                                    • API String ID: 2222842502-0
                                                    • Opcode ID: 8eec6e5128e93a42b400f06fea6d6258ee0e0a5c76780dbcd1cb1337692102ff
                                                    • Instruction ID: f348effb5048d30e07e6a5048a41180952f9128151fb331baab46005233433b9
                                                    • Opcode Fuzzy Hash: 8eec6e5128e93a42b400f06fea6d6258ee0e0a5c76780dbcd1cb1337692102ff
                                                    • Instruction Fuzzy Hash: 8DF06535740342AAEA20E6A48D16F963E586FC4B40F94045ABA409F1D4D6A4E5058BAA

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1343 533f98-533fb6 HeapCreate 1344 533fb8-533fc5 call 533e50 1343->1344 1345 533fee-533ff0 1343->1345 1348 533fc7-533fd2 call 537865 1344->1348 1349 533fd4-533fd7 1344->1349 1355 533fde-533fe0 1348->1355 1351 533ff1-533ff4 1349->1351 1352 533fd9 call 5383ac 1349->1352 1352->1355 1355->1351 1356 533fe2-533fe8 HeapDestroy 1355->1356 1356->1345
                                                    APIs
                                                    • HeapCreate.KERNEL32(00000000,00001000,00000000,0052DF76,00000001), ref: 00533FA9
                                                      • Part of subcall function 00533E50: GetVersionExA.KERNEL32 ref: 00533E6F
                                                    • HeapDestroy.KERNEL32 ref: 00533FE8
                                                      • Part of subcall function 00537865: HeapAlloc.KERNEL32(00000000,00000140,00533FD1,000003F8), ref: 00537872
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocCreateDestroyVersion
                                                    • String ID:
                                                    • API String ID: 2507506473-0
                                                    • Opcode ID: 345425e9af27faf0265c41ea0d82b9dd3e3303e25ad377b8ed4358d347821399
                                                    • Instruction ID: 3a45ebcea67b3d74a1cb51e26fdd04bf7c25358b33e784b1e307e95240e40088
                                                    • Opcode Fuzzy Hash: 345425e9af27faf0265c41ea0d82b9dd3e3303e25ad377b8ed4358d347821399
                                                    • Instruction Fuzzy Hash: B7F09B70E453029AEF302731AD4A7657FB4BB90782F504C25F400C51B4EF64C685D611
                                                    APIs
                                                    • IsBadReadPtr.KERNEL32(00000000,00000008), ref: 10027C6E
                                                    • RtlFreeHeap.NTDLL(00C80000,00000000,00000000), ref: 10027C80
                                                      • Part of subcall function 10027AE0: GetModuleHandleA.KERNEL32(10000000,10027CB6,?,?,00000000,10013438,00000004,1002D4C1,00000000,00000000,?,00000014,00000000,00000000), ref: 10027AEA
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: FreeHandleHeapModuleRead
                                                    • String ID:
                                                    • API String ID: 627478288-0
                                                    • Opcode ID: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                    • Instruction ID: 59851536013e0aac3578df5bad16e171669d5e3b00cd7f1de4e20f90094f5fd3
                                                    • Opcode Fuzzy Hash: 4d9379b0d58c283c6db725ca31a97e2f75bce73c470b809a1bff60f02603aa99
                                                    • Instruction Fuzzy Hash: 46E0ED71A0153297EB21FB34ADC4A4B769CFB417C0BB1402AF548B3151D330AC818BA2
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0052F93C
                                                      • Part of subcall function 00536654: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 00536691
                                                      • Part of subcall function 00536654: EnterCriticalSection.KERNEL32(?,?,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 005366AC
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                    • String ID:
                                                    • API String ID: 1616793339-0
                                                    • Opcode ID: 20313b40f7e3dce336daa9741e1f2966b5b848e41a72be9efe4f076bd3057cb2
                                                    • Instruction ID: 7b56e2c9da9a259d952406973c3615529dd566496f40b84713af7035b72e6d44
                                                    • Opcode Fuzzy Hash: 20313b40f7e3dce336daa9741e1f2966b5b848e41a72be9efe4f076bd3057cb2
                                                    • Instruction Fuzzy Hash: 8D218132A00225BBDB20AB69FD46B9EBFB4FF02724F144535F411EB2D1C774A9818B94
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074), ref: 0052F802
                                                      • Part of subcall function 00536654: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 00536691
                                                      • Part of subcall function 00536654: EnterCriticalSection.KERNEL32(?,?,?,0053076C,00000009,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 005366AC
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$EnterFreeHeapInitialize
                                                    • String ID:
                                                    • API String ID: 641406236-0
                                                    • Opcode ID: 6bbe92e95e5e50c560ef673135305bb2aab7de2ade05c5dafc1efb0333b91f63
                                                    • Instruction ID: a866127fe020f7fef98054cf8992c6f43cbaa49073fdc435564f894815408189
                                                    • Opcode Fuzzy Hash: 6bbe92e95e5e50c560ef673135305bb2aab7de2ade05c5dafc1efb0333b91f63
                                                    • Instruction Fuzzy Hash: AD21C872801219ABDB209B54FC4AF9DBF78FF15720F280539F410A21D0DB345941CBA5
                                                    APIs
                                                    • LdrInitializeThunk.NTDLL(-0000007F), ref: 10004BAD
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                    • Instruction ID: 7f13cb2829284cec5adb7bd0b88e9c5a5f53f04c1fb2448feb0c9f08ba257be5
                                                    • Opcode Fuzzy Hash: e502fa12d724a17ec6793826f56d8639c8130a795048e16d13a0eb84edd9aa86
                                                    • Instruction Fuzzy Hash: 0111C4B1600645DBFB20DF18C894B5973A5EB413D9F128336E806CB2E8CB78DD85C789
                                                    APIs
                                                    • LoadStringA.USER32(?,?,?,?), ref: 005459D8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: LoadString
                                                    • String ID:
                                                    • API String ID: 2948472770-0
                                                    • Opcode ID: 40b681f0eb12bf682b615047342c379f509e79dc48667a59968eaf647e38dde4
                                                    • Instruction ID: 8e8ef572204fce2589af0aa7cf685f4fbdf9b9b9a2ff7f47f4f6fcf0d949cc61
                                                    • Opcode Fuzzy Hash: 40b681f0eb12bf682b615047342c379f509e79dc48667a59968eaf647e38dde4
                                                    • Instruction Fuzzy Hash: F3D0A7721083A29BC711DF508809DCFBFA8BF94320B044C0DF48453112D330C804CB61
                                                    APIs
                                                    • ShowWindow.USER32(?,?,004C0E6C,00000000), ref: 005444B8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: acf6b276f8ca7226e4bb5dde0f7d0ba1f39025784c939386b435f722e44fa1d2
                                                    • Instruction ID: f17d4fe166e2984382da11de18e3af9d95e80066a9337b616801462ce75c6cca
                                                    • Opcode Fuzzy Hash: acf6b276f8ca7226e4bb5dde0f7d0ba1f39025784c939386b435f722e44fa1d2
                                                    • Instruction Fuzzy Hash: 04D09230204300EFCF058F60DA48B5ABBB2BF94709B299A68F04A8A525D732DC12EF05
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,10015A7E,00000001,10014425,00000000,80000004), ref: 10028E55
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: DeleteFile
                                                    • String ID:
                                                    • API String ID: 4033686569-0
                                                    • Opcode ID: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                    • Instruction ID: ffbd99c73049c44a809e906c9e813abd6042298cab9f2baa300a0a2bd65e465f
                                                    • Opcode Fuzzy Hash: fa2665b6ac963b161292b6cf763d28651fb78e505f2996d4b34d6e62a351a2d0
                                                    • Instruction Fuzzy Hash: 5EA00275904611EBDE11DBA4C9DC84B7BACAB84341B108844F155C2130C634D451CB21
                                                    APIs
                                                    • IsIconic.USER32(?), ref: 004CC7EC
                                                    • IsZoomed.USER32(?), ref: 004CC7FA
                                                    • LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 004CC824
                                                    • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 004CC837
                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004CC845
                                                    • FreeLibrary.KERNEL32(00000000), ref: 004CC87B
                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004CC891
                                                    • IsWindow.USER32(?), ref: 004CC8BE
                                                    • ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 004CC8CB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
                                                    • String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
                                                    • API String ID: 447426925-661446951
                                                    • Opcode ID: 2aad0ee79b479b02fb2b946597527b075e3f00870acc05ba3d091f7f16e5603c
                                                    • Instruction ID: f399e171fcd14cdb3fa172c1acac950232705f0c1a6c5618e7b234c16eee75ca
                                                    • Opcode Fuzzy Hash: 2aad0ee79b479b02fb2b946597527b075e3f00870acc05ba3d091f7f16e5603c
                                                    • Instruction Fuzzy Hash: D0318275740702AFDB10AF61CC59F6B7BA8EF94B42F00451DFA06A7290DB78DC098B69
                                                    APIs
                                                    • UnmapViewOfFile.KERNEL32(00000000,00000000,00000000,?,00000018,00000000,00000000,00000000,00000000,00000000,00000018,00000000,00000000,00000000,00000000,00000000), ref: 100226B0
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: FileUnmapView
                                                    • String ID:
                                                    • API String ID: 2564024751-0
                                                    • Opcode ID: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                    • Instruction ID: aca3888e1ced534dfb8bff30dc6f5772290e13aa398f14ea119e8b9ebb5f1563
                                                    • Opcode Fuzzy Hash: fcdb37980512f5c2a5454dd6e4788c6138146d17f3cde7f746c149f80b301426
                                                    • Instruction Fuzzy Hash: CED1AF75D40209FBEF219FE0EC46BDDBAB1EB09714F608115F6203A2E0C7B62A549F59
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 1001A976
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1001A9E8
                                                    • SelectObject.GDI32(00000000,00000000), ref: 1001ABA2
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 1001ABFD
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$Release
                                                    • String ID:
                                                    • API String ID: 3581861777-0
                                                    • Opcode ID: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                    • Instruction ID: 0a28f281d22c81f76b667070ee8f4b39c3514b9b46e69f88ae8cd14bf3a1b365
                                                    • Opcode Fuzzy Hash: 016045839d6574eced5056fb230da70806107c6e75e1076cf05294477ed0f175
                                                    • Instruction Fuzzy Hash: 2B9116B0D40309EBDF01EF81DC86BAEBBB1EB0A715F005015F6187A290D3B69691CF96
                                                    APIs
                                                    • GetWindow.USER32(?,00000005), ref: 1001A773
                                                    • IsWindowVisible.USER32(00000000), ref: 1001A7AC
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 1001A7E9
                                                    • GetWindow.USER32(00000000,00000002), ref: 1001A872
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Window$ProcessThreadVisible
                                                    • String ID:
                                                    • API String ID: 569392824-0
                                                    • Opcode ID: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                    • Instruction ID: 356be4359fdaef5b37944779847d5b641f80ef076249e3ad3302764c89b6051f
                                                    • Opcode Fuzzy Hash: 7eb4792724a3c751574948ed2bef03bc1f82abfcdfbe86bfaa65a7c348e8a528
                                                    • Instruction Fuzzy Hash: 284105B4D40219EBEB40EF90DC87BAEFBB0FB06711F105065E5097E190E7B19A90CB96
                                                    APIs
                                                    • ReleaseMutex.KERNEL32(?,?,10026B6B), ref: 100141AB
                                                    • NtClose.NTDLL(?), ref: 100141D7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CloseMutexRelease
                                                    • String ID: `+vw
                                                    • API String ID: 2985832019-2575219697
                                                    • Opcode ID: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                    • Instruction ID: 38ac61447b851c898caa1bdb063a432cf123be9b48bf26603be34453f4d11833
                                                    • Opcode Fuzzy Hash: 9673063f24b859f5e245c19442cbc28e39fa0f3f237a8bfddd1f83e277d98800
                                                    • Instruction Fuzzy Hash: 69F08CB0E41308F7DA00AF50DC03B7DBA30EB16751F105021FA087E0A0DBB29A659A9A
                                                    APIs
                                                    • GetFocus.USER32 ref: 004C43EF
                                                    • GetWindowRect.USER32(?,?), ref: 004C4446
                                                    • GetParent.USER32(?), ref: 004C4456
                                                    • GetParent.USER32(?), ref: 004C4489
                                                    • GlobalSize.KERNEL32(00000000), ref: 004C44D3
                                                    • GlobalLock.KERNEL32(00000000), ref: 004C44DB
                                                    • IsWindow.USER32(?), ref: 004C44F4
                                                    • GetTopWindow.USER32(?), ref: 004C4531
                                                    • GetWindow.USER32(00000000,00000002), ref: 004C454A
                                                    • SetParent.USER32(?,?), ref: 004C4576
                                                    • SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 004C45C1
                                                    • SendMessageA.USER32(?,00008076,00000000,00000000), ref: 004C45D0
                                                    • GetParent.USER32(?), ref: 004C45E3
                                                    • SendMessageA.USER32(?,00008004,00000000,00000000), ref: 004C45FC
                                                    • GetWindowLongA.USER32(?,000000F0), ref: 004C4604
                                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C4634
                                                    • SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 004C4642
                                                    • IsWindow.USER32(?), ref: 004C468E
                                                    • GetFocus.USER32 ref: 004C4698
                                                    • SetFocus.USER32(?,00000000), ref: 004C46B0
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004C46BB
                                                    • GlobalFree.KERNEL32(00000000), ref: 004C46C2
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
                                                    • String ID:
                                                    • API String ID: 300820980-0
                                                    • Opcode ID: 647a018591bfb8578e089642162e1cb533ddc8dd20299a7c97b7fd5eca86bcad
                                                    • Instruction ID: 3127b644e8a5c869610db6344457f4cc399a41bf09dab9003a4e7af5bce6750b
                                                    • Opcode Fuzzy Hash: 647a018591bfb8578e089642162e1cb533ddc8dd20299a7c97b7fd5eca86bcad
                                                    • Instruction Fuzzy Hash: 7DA168B4204701ABD764DF65CD94F6BBBE9BBC8700F104A1DFA4287391DB78E8058B59
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(?), ref: 10029652
                                                    • LoadLibraryA.KERNEL32(?), ref: 1002965F
                                                    • wsprintfA.USER32 ref: 10029676
                                                    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002968C
                                                      • Part of subcall function 10027B10: ExitProcess.KERNEL32 ref: 10027B25
                                                    • atoi.MSVCRT(?), ref: 100296CB
                                                    • strchr.MSVCRT ref: 10029703
                                                    • GetProcAddress.KERNEL32(00000000,00000040), ref: 10029721
                                                    • wsprintfA.USER32 ref: 10029739
                                                    • MessageBoxA.USER32(00000000,?,DLL ERROR,00000010), ref: 1002974F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Messagewsprintf$AddressExitHandleLibraryLoadModuleProcProcessatoistrchr
                                                    • String ID: DLL ERROR
                                                    • API String ID: 3187504500-4092134112
                                                    • Opcode ID: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                    • Instruction ID: 2d8d4974cead62a1b0d3c1b872151993aa02a2f76add0cb6c4d459240c98e11b
                                                    • Opcode Fuzzy Hash: 9540223c6458f4f61bd1187778cb6480ee137db95fa86fbff814e5090dc54c7b
                                                    • Instruction Fuzzy Hash: 7E3139B26003529BE310EF74AC94F9BB7D8EB85340F904929FB09D3241EB75E919C7A5
                                                    APIs
                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?,?,00000001), ref: 10028E9E
                                                    • strrchr.MSVCRT ref: 10028EC7
                                                    • RegOpenKeyA.ADVAPI32(00000000,00000000,?), ref: 10028EE0
                                                    • ??2@YAPAXI@Z.MSVCRT ref: 10028F03
                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000400,?,?,?,00000698,80000004,00000000,00000000,00000000), ref: 10028F26
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F34
                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F3E
                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000), ref: 10028F5B
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F8A
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000), ref: 10028F97
                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000698,80000004,00000000,00000000,00000000,?,?,00000000,00000000), ref: 10028F9E
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: ??2@??3@$QueryValue$CloseOpenstrrchr
                                                    • String ID:
                                                    • API String ID: 1380196384-0
                                                    • Opcode ID: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                    • Instruction ID: 11253f6a850e8c32f07a3e9f8fa5c0c7ac66a22cffc6c79301f50e11ea2e9c0e
                                                    • Opcode Fuzzy Hash: e7ace30d2f8466e70a135e9438976f98cc2e8929a4af4227705134379e3db402
                                                    • Instruction Fuzzy Hash: 304126792003055BE344DA78EC45E2B77D9EFC2660F950A2DF915C3281EE75EE0983A2
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00534152,?,Microsoft Visual C++ Runtime Library,00012010,?,007C919C,?,007C91EC,?,?,?,Runtime Error!Program: ), ref: 0053B7E7
                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0053B7FF
                                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0053B810
                                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0053B81D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$LibraryLoad
                                                    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                    • API String ID: 2238633743-4044615076
                                                    • Opcode ID: cd5a99d3ae21148215eef40b4b3e2c06a136d6a41904b5fced94b3a7088571a7
                                                    • Instruction ID: cd3865fb14679fe404eec5118ea1c91d0cb48bb0d882a318f67504b037250069
                                                    • Opcode Fuzzy Hash: cd5a99d3ae21148215eef40b4b3e2c06a136d6a41904b5fced94b3a7088571a7
                                                    • Instruction Fuzzy Hash: 4D017C71601301ABAB609FB5AC84A6ABFECFA98791B44443EF301C2161DB74C9579B61
                                                    APIs
                                                    • LCMapStringW.KERNEL32(00000000,00000100,007C942C,00000001,00000000,00000000,771AE860,0082BD44,?,?,?,0052FCCD,?,?,?,00000000), ref: 00537596
                                                    • LCMapStringA.KERNEL32(00000000,00000100,007C9428,00000001,00000000,00000000,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 005375B2
                                                    • LCMapStringA.KERNEL32(?,?,?,0052FCCD,?,?,771AE860,0082BD44,?,?,?,0052FCCD,?,?,?,00000000), ref: 005375FB
                                                    • MultiByteToWideChar.KERNEL32(?,0082BD45,?,0052FCCD,00000000,00000000,771AE860,0082BD44,?,?,?,0052FCCD,?,?,?,00000000), ref: 00537633
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,0052FCCD,?,00000000,?,?,0052FCCD,?), ref: 0053768B
                                                    • LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0052FCCD,?), ref: 005376A1
                                                    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0052FCCD,?), ref: 005376D4
                                                    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0052FCCD,?), ref: 0053773C
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: String$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 352835431-0
                                                    • Opcode ID: e86e594c4e53d6abf8ae965436166b39bf55b2b00f60a15279198b0530d4aa6d
                                                    • Instruction ID: 7cc9ecddc5018faacf7b363fa2b484acd24767e86601dcff93defb5c3da2efd3
                                                    • Opcode Fuzzy Hash: e86e594c4e53d6abf8ae965436166b39bf55b2b00f60a15279198b0530d4aa6d
                                                    • Instruction Fuzzy Hash: 3C5168B1904A49EFCF228F98DD56EEE7FB5FB48754F204519F911A2160D3328D20EBA0
                                                    APIs
                                                    • CreatePopupMenu.USER32 ref: 004D1A6E
                                                    • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1BD1
                                                    • AppendMenuA.USER32(?,00000000,00000000,?), ref: 004D1C09
                                                    • ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 004D1C27
                                                    • AppendMenuA.USER32(?,?,00000000,?), ref: 004D1C85
                                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1CAA
                                                    • AppendMenuA.USER32(?,?,?,?), ref: 004D1CF2
                                                    • ModifyMenuA.USER32(?,?,?,?,?), ref: 004D1D17
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Menu$Append$Modify$CreatePopup
                                                    • String ID:
                                                    • API String ID: 3846898120-0
                                                    • Opcode ID: 20826babb989f5e736250c80dcd0fa1a275c245e1f715fe9bc7b9d36ffc9fef0
                                                    • Instruction ID: 3e1ae15f5f027956ee5481439c73db12b96aed040bc784fb215d33a7b97caef1
                                                    • Opcode Fuzzy Hash: 20826babb989f5e736250c80dcd0fa1a275c245e1f715fe9bc7b9d36ffc9fef0
                                                    • Instruction Fuzzy Hash: 44D177B1604310ABC714DF18C894A6BBBE4EF99754F04492EF98593361E739EC41CBAA
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0053409B
                                                    • GetStdHandle.KERNEL32(000000F4,007C919C,00000000,00000000,00000000,?), ref: 00534171
                                                    • WriteFile.KERNEL32(00000000), ref: 00534178
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: File$HandleModuleNameWrite
                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                    • API String ID: 3784150691-4022980321
                                                    • Opcode ID: 44d1dd80293e663d5ac1218e8b7adabf97ca11d90153c478b998163af7059214
                                                    • Instruction ID: 1f027e4b3f91af8a4ecf20f334a3eca0d66f92e4be03934789845ddfcab1dbcf
                                                    • Opcode Fuzzy Hash: 44d1dd80293e663d5ac1218e8b7adabf97ca11d90153c478b998163af7059214
                                                    • Instruction Fuzzy Hash: D131B473A00219AFDF20AA60CC8EFDA7BACFB85750F15046AF245DA091E674A9848F51
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: %I64d$%lf
                                                    • API String ID: 0-1545097854
                                                    • Opcode ID: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                    • Instruction ID: a68653634a99df22c50c27c61c92b13d05d716d03379e836d9a088690611f418
                                                    • Opcode Fuzzy Hash: a4c15939d3e60ba9db88d579da1c1132da41a341171e7d735073e2800846d90c
                                                    • Instruction Fuzzy Hash: 0F516C7A5052424BD738D524BC85AEF73C4EBC0310FE08A2EFA59D21D1DE79DE458392
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052DFAE), ref: 00533A82
                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052DFAE), ref: 00533A96
                                                    • GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0052DFAE), ref: 00533AC2
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052DFAE), ref: 00533AFA
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0052DFAE), ref: 00533B1C
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0052DFAE), ref: 00533B35
                                                    • GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0052DFAE), ref: 00533B48
                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00533B86
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                    • String ID:
                                                    • API String ID: 1823725401-0
                                                    • Opcode ID: d570133b7d91ad5f6a6293394aad9a64a34e1d88e58a043df96b3a932e071015
                                                    • Instruction ID: 2b1616c7106ceec47167a88201f87a4b633230707dc60d2b1198306b476f87a8
                                                    • Opcode Fuzzy Hash: d570133b7d91ad5f6a6293394aad9a64a34e1d88e58a043df96b3a932e071015
                                                    • Instruction Fuzzy Hash: 6E31E1725082656FD7207FB96CA883FFF9CFB95368F150939F592C3110EA218E848265
                                                    APIs
                                                    • IsWindow.USER32(?), ref: 004C0B8D
                                                    • GetParent.USER32(?), ref: 004C0B9F
                                                    • SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 004C0BC7
                                                    • GetWindowRect.USER32(?,?), ref: 004C0C51
                                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0C74
                                                    • GetWindowRect.USER32(?,?), ref: 004C0E3C
                                                    • InvalidateRect.USER32(?,?,00000001,?), ref: 004C0E5D
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Rect$Window$Invalidate$MessageParentSend
                                                    • String ID:
                                                    • API String ID: 236041146-0
                                                    • Opcode ID: 098f9dc97179b873922c3abe21b9eef9e35919f87e2c218f2e93e7561513f00e
                                                    • Instruction ID: e0947b56ca2f04a257385ec4098ac119cb8262acb62baf3dfd04bcfada64dcc0
                                                    • Opcode Fuzzy Hash: 098f9dc97179b873922c3abe21b9eef9e35919f87e2c218f2e93e7561513f00e
                                                    • Instruction Fuzzy Hash: F491D035604306DBCB64EF65C850F6B73E8AF84758F040A1DFD469B292EB38ED018B99
                                                    APIs
                                                    • GetStringTypeW.KERNEL32(00000001,007C942C,00000001,?,771AE860,0082BD44,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 0053AD67
                                                    • GetStringTypeA.KERNEL32(00000000,00000001,007C9428,00000001,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 0053AD81
                                                    • GetStringTypeA.KERNEL32(?,?,?,?,0052FCCD,771AE860,0082BD44,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 0053ADB5
                                                    • MultiByteToWideChar.KERNEL32(?,0082BD45,?,?,00000000,00000000,771AE860,0082BD44,?,?,0052FCCD,?,?,?,00000000,00000001), ref: 0053ADED
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0052FCCD,?), ref: 0053AE43
                                                    • GetStringTypeW.KERNEL32(?,?,00000000,0052FCCD,?,?,?,?,?,?,0052FCCD,?), ref: 0053AE55
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: StringType$ByteCharMultiWide
                                                    • String ID:
                                                    • API String ID: 3852931651-0
                                                    • Opcode ID: 0d83e51d5868e8e8016c70a6eade98d1b35a08c1d42d0758f2823775c7e86228
                                                    • Instruction ID: 525e6efb8c9d8dacceed9861c887d0c5f425e2300bb12bc5ead7656633da191f
                                                    • Opcode Fuzzy Hash: 0d83e51d5868e8e8016c70a6eade98d1b35a08c1d42d0758f2823775c7e86228
                                                    • Instruction Fuzzy Hash: AD419872A00619EFCF219F94DC85EEF3FB8FB09B91F104829FA02D2150D7318914ABA1
                                                    APIs
                                                    • TlsGetValue.KERNEL32(00827A84,00827A74,00000000,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549DAA
                                                    • EnterCriticalSection.KERNEL32(00827AA0,00000010,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549DF9
                                                    • LeaveCriticalSection.KERNEL32(00827AA0,00000000,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549E0C
                                                    • LocalAlloc.KERNEL32(00000000,00000004,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549E22
                                                    • LocalReAlloc.KERNEL32(?,00000004,00000002,?,00827A84,?,0054A007,00827A74,00000000,?,00000000,00549A1E,0054930D,00549A3A,00544E41,005460E6), ref: 00549E34
                                                    • TlsSetValue.KERNEL32(00827A84,00000000), ref: 00549E70
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AllocCriticalLocalSectionValue$EnterLeave
                                                    • String ID:
                                                    • API String ID: 4117633390-0
                                                    • Opcode ID: 0c27672eb7e2a69b119a922bc5c51664f563aa7cedc99e4f1f87a0019934c0f2
                                                    • Instruction ID: 09b94d30be2fa56e2af3ae6a8895b8d0937651ee5ae5d43eb24d9b14e3d7152c
                                                    • Opcode Fuzzy Hash: 0c27672eb7e2a69b119a922bc5c51664f563aa7cedc99e4f1f87a0019934c0f2
                                                    • Instruction Fuzzy Hash: CE31BF75100A05EFDB24DF65D89AFA7BBE8FB85359F00C618E416C7280DB70E819CB61
                                                    APIs
                                                    • GetVersionExA.KERNEL32 ref: 00533E6F
                                                    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00533EA4
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00533F04
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: EnvironmentFileModuleNameVariableVersion
                                                    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                    • API String ID: 1385375860-4131005785
                                                    • Opcode ID: 5f5aec9753988e521ee00c7aa1cbce9d4f27956d871e25bf16a439817830d58f
                                                    • Instruction ID: 1fac27ccaf85a6ccd7877eedef7ea4f91b98e54911b44507f0b1565232d3b1cb
                                                    • Opcode Fuzzy Hash: 5f5aec9753988e521ee00c7aa1cbce9d4f27956d871e25bf16a439817830d58f
                                                    • Instruction Fuzzy Hash: 7B312472D012886DEB319670AC99BED7F7CBB06704F5404E9E045CA082F638DF8A9B11
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0054A8F4
                                                      • Part of subcall function 0054A9E0: lstrlenA.KERNEL32(00000104,00000000,?,0054A924), ref: 0054AA17
                                                    • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0054A995
                                                    • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0054A9C2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: FileModuleNamelstrcatlstrcpylstrlen
                                                    • String ID: .HLP$.INI
                                                    • API String ID: 2421895198-3011182340
                                                    • Opcode ID: b5f670ab424f6d573ced6785778ccfc7733a109d63daecc920e69335f265d809
                                                    • Instruction ID: e309acdd19f7f32f2058438a563518ae08deb733372e08b10e14560455945e81
                                                    • Opcode Fuzzy Hash: b5f670ab424f6d573ced6785778ccfc7733a109d63daecc920e69335f265d809
                                                    • Instruction Fuzzy Hash: F8316FB6844B19AFDB61DB70D889BC6BBFCBF04314F10496AE19AD3151DB70A984CB50
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aea30e3c93261d788dedff7c98bfb86e2458d733cfd34f69ca971d7bc867fbe2
                                                    • Instruction ID: 10a36cc3363beee2afae00e2a34806bd8da0daef00e17cb18d2a0e3ed9a6e149
                                                    • Opcode Fuzzy Hash: aea30e3c93261d788dedff7c98bfb86e2458d733cfd34f69ca971d7bc867fbe2
                                                    • Instruction Fuzzy Hash: 54C1AD759047069FC350DF25C881E6FB7E9EBC5748F40892EF84297211EB38F9068BA6
                                                    APIs
                                                    • GetStartupInfoA.KERNEL32(?), ref: 00533BF7
                                                    • GetFileType.KERNEL32(?,?,00000000), ref: 00533CA2
                                                    • GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00533D05
                                                    • GetFileType.KERNEL32(00000000,?,00000000), ref: 00533D13
                                                    • SetHandleCount.KERNEL32 ref: 00533D4A
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: FileHandleType$CountInfoStartup
                                                    • String ID:
                                                    • API String ID: 1710529072-0
                                                    • Opcode ID: 38464a502c0b8e53c88d84cb5f93696967751c446be7360dba016f0289055c5c
                                                    • Instruction ID: fac841d1aa36cbe694dfe7fe8808099668c6041950a376ca93d5bf2937fb9e35
                                                    • Opcode Fuzzy Hash: 38464a502c0b8e53c88d84cb5f93696967751c446be7360dba016f0289055c5c
                                                    • Instruction Fuzzy Hash: 465102716006498FC720CB68D898BA5BFE0BF11368F299B6CD592DB2E1D730DE46D750
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Menu$Destroy$AcceleratorTableWindow
                                                    • String ID:
                                                    • API String ID: 1240299919-0
                                                    • Opcode ID: e6e90fd9b84b9717b3859d7d9dafc34c096d08914daa7865720e872bf2ba34f5
                                                    • Instruction ID: ba1ee79579909c9762ed2fcb1c755608a1fe3fc2e43e3ce77f5f630114272844
                                                    • Opcode Fuzzy Hash: e6e90fd9b84b9717b3859d7d9dafc34c096d08914daa7865720e872bf2ba34f5
                                                    • Instruction Fuzzy Hash: 1531A476500206AFC760EF65DC44E6B77A9EF84348F02491DFC4587252EB38E809CBB4
                                                    APIs
                                                    • GetLastError.KERNEL32(00000103,7FFFFFFF,005302C2,00532BD7,00000000,?,?,00000000,00000001), ref: 00533DBE
                                                    • TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00533DCC
                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533E18
                                                      • Part of subcall function 005306B6: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00533DE1,00000001,00000074,?,?,00000000,00000001), ref: 005307AC
                                                    • TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00533DF0
                                                    • GetCurrentThreadId.KERNEL32 ref: 00533E01
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                    • String ID:
                                                    • API String ID: 2020098873-0
                                                    • Opcode ID: 867b27963f1c94ac78a9d68af50683a92344fcf9b2fa8fc6a189ad7665713013
                                                    • Instruction ID: a077b9cd3ae76f53fca4410c562ffbe4335af381459dad44727e585bb389d531
                                                    • Opcode Fuzzy Hash: 867b27963f1c94ac78a9d68af50683a92344fcf9b2fa8fc6a189ad7665713013
                                                    • Instruction Fuzzy Hash: 05F0F636901B225BC7202B71BC1D71A3F54FF80772F100618F641DA1E0CF248941A694
                                                    APIs
                                                    • wsprintfA.USER32 ref: 10027B78
                                                    • MessageBoxA.USER32(00000000,?,error,00000010), ref: 10027B8F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: Messagewsprintf
                                                    • String ID: error$program internal error number is %d. %s
                                                    • API String ID: 300413163-3752934751
                                                    • Opcode ID: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                    • Instruction ID: e1549d366f44cd83cf328da68a9c66535f66093051f9031b2c984319b6cde580
                                                    • Opcode Fuzzy Hash: 9b981b78a64c18401d7889df049e23280723fff9be08447d19cff6f5f57e3dd4
                                                    • Instruction Fuzzy Hash: B9E092755002006BE344EBA4ECAAFAA33A8E708701FC0085EF34981180EBB1A9548616
                                                    APIs
                                                    • HeapAlloc.KERNEL32(00000000,00002020,007E9DD0,007E9DD0,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000), ref: 005383CD
                                                    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000), ref: 005383F1
                                                    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000), ref: 0053840B
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000,?), ref: 005384CC
                                                    • HeapFree.KERNEL32(00000000,00000000,?,?,00538878,00000000,00000010,00000000,00000009,00000009,?,0052F901,00000010,00000000,?,00000000), ref: 005384E3
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual$FreeHeap
                                                    • String ID:
                                                    • API String ID: 714016831-0
                                                    • Opcode ID: 991dbcac537383657eda3a7bde5d71162a55313cd4487680932ac892e478646f
                                                    • Instruction ID: 942abc00e94d758f5b59d3e96f9968313f9d00eb1fb7caf674c9f657b2a72b70
                                                    • Opcode Fuzzy Hash: 991dbcac537383657eda3a7bde5d71162a55313cd4487680932ac892e478646f
                                                    • Instruction Fuzzy Hash: 4D3102B16017169BD734CF24EC44B72BFA0FB48758F108A39F2559BAD0EB74A804CB48
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 004C2E04
                                                    • GetParent.USER32(00000000), ref: 004C2E54
                                                    • IsWindow.USER32(?), ref: 004C2E74
                                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 004C2EEF
                                                      • Part of subcall function 005444AA: ShowWindow.USER32(?,?,004C0E6C,00000000), ref: 005444B8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Window$ParentShow
                                                    • String ID:
                                                    • API String ID: 2052805569-0
                                                    • Opcode ID: 687432f1f2540717fc2b56ce354572a91960382ebb6e5681addc0a75091fd5d7
                                                    • Instruction ID: 007fa6930f704811530952e320cf4f3433f0727d2dd3ca81dd8391a694185478
                                                    • Opcode Fuzzy Hash: 687432f1f2540717fc2b56ce354572a91960382ebb6e5681addc0a75091fd5d7
                                                    • Instruction Fuzzy Hash: B041A03A6007059BD760DE65CD81FABB3A4AF84754F04452EFD05AB381D7F8EC058BA9
                                                    APIs
                                                    • malloc.MSVCRT ref: 10029FB3
                                                    • LCMapStringA.KERNEL32(00000804,00400000,?,?,00000000,?,?,?,?,?,000009DC,00000000,?,10028774,00000001,?), ref: 10029FE7
                                                    • free.MSVCRT ref: 10029FF6
                                                    • free.MSVCRT ref: 1002A014
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: free$Stringmalloc
                                                    • String ID:
                                                    • API String ID: 3576809655-0
                                                    • Opcode ID: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                    • Instruction ID: fe1f6c240ce4a888f48c4ee73cb5f64fbc811d22bf13276520b53d25543597c8
                                                    • Opcode Fuzzy Hash: 3d87b46e14f2d497d9d28619afb4a5b0de044c8a0172bd5c8dfa7591265ad328
                                                    • Instruction Fuzzy Hash: 2311D27A2042042BD348DA78AC45E7BB3D9DBC5265FA0463EF226D22C1EE71ED094365
                                                    APIs
                                                    • GetVersion.KERNEL32 ref: 0052DF3E
                                                      • Part of subcall function 00533F98: HeapCreate.KERNEL32(00000000,00001000,00000000,0052DF76,00000001), ref: 00533FA9
                                                      • Part of subcall function 00533F98: HeapDestroy.KERNEL32 ref: 00533FE8
                                                    • GetCommandLineA.KERNEL32 ref: 0052DF9E
                                                    • GetStartupInfoA.KERNEL32(?), ref: 0052DFC9
                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0052DFEC
                                                      • Part of subcall function 0052E045: ExitProcess.KERNEL32 ref: 0052E062
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
                                                    • String ID:
                                                    • API String ID: 2057626494-0
                                                    • Opcode ID: e7991187c405a5c657d8012c85f116ae9ec1b913ef2eb4f9835e5783d806f659
                                                    • Instruction ID: b07d7e60d4e6e2a2b43dd792442559cecc635a883b7b7f83cc69d3e872582151
                                                    • Opcode Fuzzy Hash: e7991187c405a5c657d8012c85f116ae9ec1b913ef2eb4f9835e5783d806f659
                                                    • Instruction Fuzzy Hash: 152180B1D047169EDB14AFB5EC5EA6D7FB8FF45700F104419F5019A2A1DB788941CB60
                                                    APIs
                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000020,00000000,00000000,00000000,80000005), ref: 10028DC8
                                                    • WriteFile.KERNEL32(00000000,?,?,?,00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9), ref: 10028E07
                                                    • CloseHandle.KERNEL32(00000000,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E1A
                                                    • CloseHandle.KERNEL32(00000000,1002C201,?,0000026C,?,?,?,?,?,?,-00000008,1002C1F9,00000000), ref: 10028E35
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2570424222.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_10000000_208.jbxd
                                                    Similarity
                                                    • API ID: CloseFileHandle$CreateWrite
                                                    • String ID:
                                                    • API String ID: 3602564925-0
                                                    • Opcode ID: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                    • Instruction ID: f6076fed0b983a52129b8cb4bf2c1cdfe7202da6017c1e667b93af5c44e6f27f
                                                    • Opcode Fuzzy Hash: f9af3b4438a18f4fcfa420cea5e243ba5770887f090d6cd41c32e5e75a4bd746
                                                    • Instruction Fuzzy Hash: 39118E36201301ABE710DF18ECC5F6BB7E8FB84714F550919FA6497290D370E90E8B66
                                                    APIs
                                                    • GetCPInfo.KERNEL32(?,00000000), ref: 00533123
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID: $
                                                    • API String ID: 1807457897-3032137957
                                                    • Opcode ID: d1bb8b184f3352bed80452d50f3c9204763ae379cd3c92ea79c654891f836137
                                                    • Instruction ID: d01e2c7a0cf4411291fadcf202be6b9a69ea7c436b60de62783a0a9f6d851917
                                                    • Opcode Fuzzy Hash: d1bb8b184f3352bed80452d50f3c9204763ae379cd3c92ea79c654891f836137
                                                    • Instruction Fuzzy Hash: C44147351052986EDB268764DD49BFB7FA9FF06700F1404E4E689CB053C3A14B48CB62
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00541A67
                                                      • Part of subcall function 00545AEB: __EH_prolog.LIBCMT ref: 00545AF0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID: Hr|$V5
                                                    • API String ID: 3519838083-287586100
                                                    • Opcode ID: bb30d3bb2469c097396fff6c275649e0d798f2d7b51c463e346cccf888e9f960
                                                    • Instruction ID: 8d0f13ccc79fd192432d8b7166861417e8a4d7044fd187c59576a9ebbbeedcee
                                                    • Opcode Fuzzy Hash: bb30d3bb2469c097396fff6c275649e0d798f2d7b51c463e346cccf888e9f960
                                                    • Instruction Fuzzy Hash: 51F02830A01B05A7D734AB75854ABCE7FF4BB0471CF10863EB106965C2DBB48980C6A4
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00546186
                                                      • Part of subcall function 00545AEB: __EH_prolog.LIBCMT ref: 00545AF0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID: V5 $xk|
                                                    • API String ID: 3519838083-3271888328
                                                    • Opcode ID: 55c499686af89a1c782a1546af300720fb9dfde5505813c1420ac228c28b3b01
                                                    • Instruction ID: 3832c99a36d08ca000ed4c5f5effb8e8baf7ef0ed07abf395d00a7edf5ce4fe9
                                                    • Opcode Fuzzy Hash: 55c499686af89a1c782a1546af300720fb9dfde5505813c1420ac228c28b3b01
                                                    • Instruction Fuzzy Hash: 4AF0F470A00705ABDB24AB65844B7DE7FE4BB04318F10852EB501961C2CA78CA00C745
                                                    APIs
                                                    • HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,00537CD2,00000000,00000000,00000000,0052F8A3,00000000,00000000,?,00000000,00000000,00000000), ref: 00537F32
                                                    • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,00537CD2,00000000,00000000,00000000,0052F8A3,00000000,00000000,?,00000000,00000000,00000000), ref: 00537F66
                                                    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00537F80
                                                    • HeapFree.KERNEL32(00000000,?), ref: 00537F97
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: AllocHeap$FreeVirtual
                                                    • String ID:
                                                    • API String ID: 3499195154-0
                                                    • Opcode ID: 0503dc02ae42ee87c5147a2e0f64eac262c90d96ebe3d0143bade627e7d6f923
                                                    • Instruction ID: 26a2d7347f7df36e28c9919c35e4d4fc5052968074744c83a50aa0b8215e5fd5
                                                    • Opcode Fuzzy Hash: 0503dc02ae42ee87c5147a2e0f64eac262c90d96ebe3d0143bade627e7d6f923
                                                    • Instruction Fuzzy Hash: 2B119E702027409FC7308F59EC45EA27FB2FB95360B148A29F152C75B0D331A846DF04
                                                    APIs
                                                    • EnterCriticalSection.KERNEL32(00827C38,?,00000000,?,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A), ref: 0054AD17
                                                    • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A), ref: 0054AD29
                                                    • LeaveCriticalSection.KERNEL32(00827C38,?,00000000,?,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A), ref: 0054AD32
                                                    • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A,00544E41), ref: 0054AD44
                                                      • Part of subcall function 0054AC49: GetVersion.KERNEL32(?,0054ACEC,?,0054A04D,00000010,?,00000000,?,?,?,00549A34,00549A97,0054930D,00549A3A,00544E41,005460E6), ref: 0054AC5C
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$Enter$InitializeLeaveVersion
                                                    • String ID:
                                                    • API String ID: 1193629340-0
                                                    • Opcode ID: bb8389f35bd2c6a99bde4d361fcdbad8b99677470b8a5d3dc0bbd2e26700a264
                                                    • Instruction ID: 9094060d02c22089b7eb9b224c9fdb09d7a91167286a51c28f094c6f1adee2d4
                                                    • Opcode Fuzzy Hash: bb8389f35bd2c6a99bde4d361fcdbad8b99677470b8a5d3dc0bbd2e26700a264
                                                    • Instruction Fuzzy Hash: FCF0C23544521ADFCB60DF76ECD4996BB6CFB7031BB00443AE205C3021D731A45ADBA6
                                                    APIs
                                                    • InitializeCriticalSection.KERNEL32(?,00533D5B,?,0052DF88), ref: 00536638
                                                    • InitializeCriticalSection.KERNEL32(?,00533D5B,?,0052DF88), ref: 00536640
                                                    • InitializeCriticalSection.KERNEL32(?,00533D5B,?,0052DF88), ref: 00536648
                                                    • InitializeCriticalSection.KERNEL32(?,00533D5B,?,0052DF88), ref: 00536650
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2565691558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000006.00000002.2565642066.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.0000000000551000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566125063.00000000007B5000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566628036.00000000007D5000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566755959.00000000007D7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566784822.00000000007D9000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566814354.00000000007E2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566840470.00000000007E3000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566870321.00000000007E8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566898369.00000000007EB000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007EC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.00000000007F8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000806000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.0000000000826000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2566943774.000000000082B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000006.00000002.2567102323.000000000082E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_208.jbxd
                                                    Similarity
                                                    • API ID: CriticalInitializeSection
                                                    • String ID:
                                                    • API String ID: 32694325-0
                                                    • Opcode ID: e2aa3fce27fd820a3db75997049886de26e256fa781f425bd74096d6f37e20cb
                                                    • Instruction ID: 5a5bd953fb2e2508b340f0c8fe6f8b42bdec844234ac3582288bdd8684a6eabb
                                                    • Opcode Fuzzy Hash: e2aa3fce27fd820a3db75997049886de26e256fa781f425bd74096d6f37e20cb
                                                    • Instruction Fuzzy Hash: 7CC002779020B4DACB512B56FE45D863F67EB0C2613018167A2045D63086251C60EFD8